Technology / #TEISS17: Businesses must properly prepare for GDPR or risk huge fines

#TEISS17: Businesses must properly prepare for GDPR or risk huge fines

Businesses need to prepare for the European Union’s new General Data Protection Regulation (GDPR) or risk being made an example of when it comes into full effect, according to an industry expert.

According to Edward Lucas, senior editor at The Economist and author of Cyberphobia, the incoming legislation will mean a huge shift for businesses, which will have to reconsider how they protect the personal data they hold to avoid potentially huge fines.

“This is going from being a thing where you might just possibly get sued to a thing where you might get very serious fines,” he told Business Reporter ahead of The European Information Security Summit 2017, which takes place in February. “This is a major threat to financials for a company that’s careless – or seen to be careless – with the personal data it holds.”

How the GDPR will be applied

The numbers associated with the GDPR, at least in theory, are huge. When it comes into full effect in May 2018, the regulation will mean breached businesses can face fines of up to €20 million (£17.9 million) or four per cent of their global turnover – whichever is greater.

“What we don’t know yet is how toughly this is going to be enforced,” Lucas says. “People are going to be looking very carefully at the first few cases that come up and seeing if this is going to be treated with the severity with which the food industry is treated if it starts poisoning people, or the laxness with which the financial services industry is treated if it rips people off.”

Although the regulation will come into force in just over a year and a half, Lucas says businesses will not know how exactly the penalties will apply until a major incident occurs.

“I think the key thing will be when we next get a Yahoo-style breach,” he says. “I suspect that once we get a breach, the regulator will go after that quite toughly. I wouldn’t want to be a big American online retailer if you just lost a lot of customer data to criminals, because that would be a perfect target for a European regulator wanting to show what it can do.

“The problem comes in that there are so many of these breaches happening all the time. I don’t think they’re going to be able to devote major investigative and enforcement resources. It’s going to have to work on a basis of deterrence, which is good – that’s how regulators normally work. But for that to happen, there will have to be some big scalp [taken].”

And British businesses should not expect Brexit to come to their rescue. Even the if the UK leaves the European Union and falls back on its own regulatory regime, Lucas says any firm with “any kind of footprint in the single market” will have to play by the GDPR’s rules.

Preparing your business for the GDPR

So what changes do businesses need to make to be ready for the regulation? Lucas says that first of all, those at the top need to realise the importance of security and data protection.

“Boards have got to start seeing that this cannot just be an IT function,” he explains. “This is something that could put you out of business… This goes to the heart of business processes, the way you monitor and screen your employees, the way you audit your internal procedures.”

Although he feels this responsibility will likely fall into the hands of the risk officer, company secretary or general counsel, Lucas feels the chief finance officer is best placed to handle cyber risk because “in many cases this is going to involve spending more money”.

In the time before the GDPR comes into full effect, he advises businesses to plan ahead and know “who is responsible for what” when an incident occurs. He recommends that they carry out penetration testing, ensure databases containing personal information are properly encrypted and run “war games” to practice responses – although he says industry notification processes can also be improved.

“I think that, not just because of [the GDPR], we need to get much better at notification,” he explains. “I think the best way of looking at this would be the public health model. If your company is affected by a dangerous infectious disease – whether it’s strictly your fault or not – you’ve got a wider responsibility to the rest of the community to notify them of that.”

He explains he would like to see an “American model plus” system, where companies must inform the regulator “the minute you know something”. Many notifications would require “clear reporting standards”, and Lucas says the widespread reporting of breaches could actually have a positive effect for firms.

“Once more companies start doing that, it becomes less of a reason for people to sell shares and criticise you for carelessness,” he says. “It becomes a sign of good corporate citizenship.”


See Edward Lucas speak alongside other industry experts at The European Information Security Summit 2017, held in February at etc.venues Westminster Bridge in London.

teiss