GDPR five months on: A greater focus on personal data security, reputational risk and compensation claims necessary
Prior to the May 25 2018, General Data Protection Regulation (GDPR) compliance was often discussed and debated from three vastly divergent and arguably equally impractical viewpoints.
The doomsday view: The end is nigh - in order to survive the legislative onslaught we must take major actions along the lines of mass deletion of valuable and often company-critical data, bombarding our customers with requests for consent/re-consent and applying inappropriately high controls to low level risks whilst remaining unaware of many higher level risks. The buzzphrase associated with this view was “Are you aware that you will be fined €20 million or 4pc of gross turnover in the event of a breach?” There was a disproportionate focus on fines.
Been here before view: Just another Y2K, what is all the fuss about? We all know that this will just fade away in time. Let’s just sit back and do nothing and take the view that “sure we’ll be grand”.
The Hamlet view: This Shakespearean tragic hero was undone by his tendency to procrastinate or in simpler terms avoid making decisions and acting upon them. Many organisations when faced with the prospect of GDPR compliance were aware that they would have to make changes and indeed what some of those changes would have to be but delayed or avoided taking those decisions and actions.
GDPR- Five months on
As we now clearly seeing – none of the mainstream views described above were practical. Our recommended view to clients was and still is the following:
The Pragmatic view: This is emerging legislation which is still to be further clarified, tested and refined. Organisations need to focus on the clear achievable requirements, act on those requirements and take a sensible and risk-based approach to GDPR compliance in general.
There must always be a balance between GDPR compliance and productivity.
In basic terms, if GDPR compliance means that you compromise business operations to the point of potential loss of your business then you are not applying a sensible and risk-based approach. Legislation is not intended to force organisations out of business and the GDPR is no exception.
There needs to be a greater focus on security around personal data and the consequences of reputational risk and data subject compensation claims.
Contrary to the early published views that GDPR compliance is not about security – consider for one moment that you have all of the privacy notices, legal bases for processing and key mandatory processes like subject access request and data breach reporting defined and in place. If you now have a security breach which involves personal data you may still be heading for major trouble.
For most organisations that do not fall into the huge multinational industry categories the predominant risks are loss of reputation and potential data subject compensation claims – not fines.
Data breaches make headlines – fact. Unfortunately, when suspected or actual breaches make headlines, either through reputable channels or social media it is very difficult to undo that reputational damage, even if it is later proven that the event was not an actual personal data breach. Reversing public negative perception is not always possible. The ultimate consequences can be loss of business from clients or customers who may now view your organisation as untrustworthy and a potential liability.
Sharon O’Reilly, GRC Consultant, IT Governance EU, will be a contributor at Dublin Information Sec 2018, Ireland’s third annual cyber security conference, at Dublin’s RDS on October 15.
Dublin Information Sec 2018 in an Independent News and Media event. Please visit www.independent.ie/infosec18 for further information and tickets.