Welcome to Part 3, of “3 Compelling Reasons to Invest in Cyber Security”. In Part 1, I discussed assessing and prioritizing your organization’s risks as well as commencing a risk assessment. Part 2 involved the importance of assessing your organization’s supply chain and including such details within the overall risk assessment.
Step 3: Complying with GDPR
In step 3, I discuss how General Data Protection Regulation (GDPR) is a catalyst for security investment. (Don’t miss part 4, which reveals what key pieces of information the board will be looking for from your presentation!)
GDPR is Europe’s new framework for data protection laws, replacing the previous 1995 data protection directive. The previous UK law (Data Protection Act 1998) was based upon this directive. GDPR is designed to harmonize and modernize data privacy laws across Europe and also give greater rights and protection to individuals. Since GDPR came into enforcement on 25th May 2018, business processes and data handling have undergone significant transformation.
GDPR is applicable across the whole of Europe and allows countries to make their own minor changes. In the UK, the government has created a new Data Protection Act (2018), which replaces the Data Protection Act (1998).
The board must take GDPR very seriously. With possible fines amounting to 4% of annual global turnover, I’m sure the board are on the edge of their seats regarding compliance! Your organization is subject to GDPR if it conducts business with at least one EU citizen in one EU location, regardless of where your organization is headquartered or where it conducts business. If you think off-shoring your business gets you out of complying with GDPR, then think again!
Considering these factors, as well as the reputational damage, non-compliance to GDPR can potentially lead your organization and/or the board to destruction. So, GDPR is clearly and easily a crucial element to your justification to the board for a security investment.
At the end of the day, your organization (including the board) should confidently be able to answer these questions within a GDPR assessment:
- What personal data do we hold?
- Where is this personal data held?
- What is it being used for?
- How secure is it?
Depending on the complexity and size of your organization, being involved in a risk assessment and a GDPR assessment could involve significant time and resources, especially if resources have already begun conducting a risk assessment as described in Part 1. For example, all public sector organizations must appoint a Data Protection Officer and all private organizations should consider whether they are required to do the same.
The Data Protection Offer is responsible for advising the organization of its obligations. Your organization must report directly to the board/management and have ‘expert knowledge’ of data protection. Without a doubt, the Data Protection Officer will need to work alongside the security team for certain tasks.
Similar to the risk assessment, the GDPR assessment must be continuously applied to uphold compliance. As part of your justification to the board, I will briefly discuss the activities involved, indicating the necessity for time and resources:
- Acquiring Consent: Your organization’s terms of permission must be clear. Therefore, terms and conditions must not be structured in a complex manner, which may confuse your customers/users. Consent must be easily given and withdrawn at any time.
- Timely Notification of a Personal Data Breach: If a personal data breach occurs, your organization only has 72 hours to report this breach to your customers, data controllers, and the Information Commissioner’s Office (for the UK). A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. If you fail to report breaches within 72 hours, fines will be on their way!
- Request for Information: If a customer or user requests their data profile, your organization must provide a free and comprehensive copy of the data which has been collected as well as a summary of the manner in which it is being used.
- Right to be Forgotten/Right to Data Deletion: Your customers/users have the right to request that your organization completely delete their personal data.
- Data Portability: Your organization must provide personal data belonging to a customer/user for their own private use.
- Privacy by Design: Your organization is obliged to design its data collection products with security protocols integrated from the start.
- Appointing of a Data Protection Officer: Your organization may need to assign an existing member of staff or recruit a resource to be a data protection officer. This depends on the size and complexity of your organization.
Considering these 7 activities, it’s clear why time and resources must be allocated by the board in order to comply with GDPR.
- Content by: Rajinder Tumber
- Originally posted at https://www.forbes.com/sites/rajindertumber/2019/01/19/3-compelling-reasons-to-invest-in-cyber-security-part-3/