At every cyber security event, people talk about the new General Data Protection Regulation (GDPR). It seems as the Cyber Security industry is obsessed with this new law and makes sure that everyone else knows about it too. Companies, consultants and lawyers are hopping on the GDPR train, because there is a significant opportunity for new services and products. However, there is also a lot of misconception going around and scaremongering, which is stereotypical for the cyber security industry.
After having attended 10+ talks on GDPR here is what I have learnt:
1. It is a European Law, not a certification
GDPR applies to all European citizen’s and their data meaning that:
- Brexit does not change anything
- Organisations outside of the EU still need to comply if they store, handle or process data of European citizens and
- Companies can become compliant or “GDPR ready” but cannot become GDPR certified (yet).
A law is very different to schemes like Cyber Essentials or a standard such as ISO 27001. Lots of companies would like to have an official stamp that demonstrates that they are GDPR ready, but unfortunately, that doesn’t exist yet.
2. We don’t know the implications of GDPR yet
With GDPR coming to force next year, the cliff hanger to date has been the fact that the Information Commissioners Office (ICO) can issue massive fines – up to 4% of turnover or £17 million. Lot’s of “fake” news suggest that the ICO will be making early examples of organisations for minor infringements or that maximum fines will become the norm. However, the point of GPDR is not to fine companies for data breaches. The idea behind this stricter data protection regulation is to put the consumers and citizens first, meaning that there is a shift to more ownership of someone’s data.
3. Not every data breach is treated the same
Every data breach is equally unique like every company. That means that every company will have different consequences. It is evident that an organisation that is ISO 27001 certified and suffers a data breach will face different consequences than a business that doesn’t have any cyber security controls in place. This fact does not only apply to the financial fines, but also to business continuity, customer trust, etc. In general, it is important to demonstrate that your company is taking Cyber Security seriously, hence you may want to start implementing some Cyber Security controls.
Controls are useful for every company, regardless the industry, size and type. To get started, create a data map and make sure you are super clear where, how and why you store data in the first place. Then think how you can protect the data, that you have to store. Data that is no longer used or needed should be deleted.
If it gets too complicated, you may want to look into common frameworks such Cyber Essentials or ISO 27001, for some more guidance. That is usually a good starting point.
In short: There is nothing to worry about the GDPR (yet?), as we don’t know what will happen in regards to breaches and fines. Start preparing now, become compliant and there is nothing you have to worry about.
The ICO has published a series of blog posts around common myths that are worth reading. They can be found here.