The General Data Protection Regulation (GDPR) is set to arrive in May 2018, and this new legislation will hold organisations accountable if they are found to not be compliant with the new standards. Fines can be imposed that could prove crippling, and this means awareness should be at an all-time high with only a year to go.
Despite the grievous risks of not being ready for the new regulation, companies have been found lacking in awareness and preparation. A recent Imperva report carried out at RSA 2017 revealed that only 43% of companies are in the process of preparing for the impending storm.
A worrying 28% were not aware of anything actively being done to shore up their data protection processes and precautions, while 29% were not doing anything at all.
Rashmi Knowles, Field CTO EMEA, RSA Security shared her thoughts on the understanding and preparedness for the arrival of this huge wave of regulation.
She said: “I would say it is a mixed bag, I think there are some customers who are fairly advanced and they kind of know what they need to do, and I think they fall into the category of organisations that currently have to comply to the data protection act, because there are a lot of similarities between the Data Protection Act and GDPR. So I think they understand the implications of GDPR and what they need to do.”
Some of the recent, high-profile breaches that have hit organisations recently may have also proven to be the catalyst for making organisations reflect on the state of their data protection. The stock prices of vendors were found to increase in the wake of the recent WannaCry ransomware attacks, indicating a prediction of increased activity.
“I also see some complacency with organisation where they know they have to do it, it’s a year away, and they think that they are ready, but they don’t really have anybody owning it, or saying that it is a legal thing, or it’s an IT problem,” said Knowles.
It would perhaps be easy to assume that some industries are on top of any potential problems and are fully aware of GDPR and its arrival, but even the sectors that should be most prepared have been found to be lacking.
“I do a lot of work in the financial services, where you expect them to be forward leaning… many of them are struggling with GDPR, very specific aspects of it, even things like breach detection,” said Knowles.
“There was a survey out a few weeks ago that was saying that only one in five banks in the UK feel confident that they wiould be aware of a breach. So I think there are elements that would be challenging to most organisations.”
The lack of readiness in the financial services could prove even more problematic than in other areas, as the industry handles a large amount of sensitive content, meaning that they will be in the spotlight under GDPR when it arrives.
Mark Thompson, Global Lead, KPMG’s Privacy Advisory Practice has been working with organisations to help them tackle the preparation process in the run up to May 2018, and he too has seen a mixture of reaction to the regulation.
Giving an interesting analogy for an overview of the different reactions organisations are having to GDPR, Thompson said: “I will start with a little safari example. On the far left hand side you have the emus, these are just burying their heads in the sand. They are pretending GDPR doesn’t exist and Brexit is going to take all the pain away.”
“Moving a little bit further along you have got the donkeys, and these are the organisations that believe cybersecurity is the same as privacy. So you spend £100m on your cybersecurity programme, so you know what, all is good don’t worry about it… Further on you have got the armadillos, and these are the people that believe it is a legal issue and are burying themselves in legal documentation and are lawyered up to the hilt. Lovely bits of paper, but it does not reflect anything close to what is happening on the ground.”
“We have then got the cheetahs, and they have picked up on something like data mapping, or international transfers and they are chasing after that gazelle, changing direction every two seconds, will they get there? Maybe, maybe not, but they are burning a lot of energy for potentially very little reward at the end of it.”
“We have got the lions, and the lions are the organisations that are standing there saying look how great we are. A lot of the lions haven’t realised that they are actually in the North Pole now, and the polar bear is the king of the jungle out there, and it probably won’t be a great world for them.”
“Then you have a very small minority of organisations who are operating in fox, they are being cunning, they are being risk based. What is important for one organisation in terms of privacy may not be important for you.”
With such a variation in the types of response to the regulation, it will be interesting to see which strategies work, and also how quickly the organisations that are ignoring the coming changes are affected.
Mr Thompson said: “A fundamental issue consistently is there is no ownership at the board level. So I have presented at a number of roundtables with FTSE organisations, and there has been around 100 board level execs and they all just looked at me as though I was an alien. When you ask who owns this at a board level, everyone points at everyone else.”
READ MORE: RSA Conference 2017: Microsoft President calls for Digital Geneva Convention to protect against nation-state cyberattacks
In summary of the risks that many organisations are walking into, Mr Thompson outlined the importance of the data in question; “Personal information is like electricity, treat it carefully, it can enrich everything in your life and enable you to do fantastic things, but with GDPR getting it wrong can cause a very significant shock.”
With a year to go it is not too late to evolve from an emu into a fox, and begin making preparations to make the most out of GDPR, and actually benefit from the new control of data, and the benefits for customers.
Raef Meeiwisse, Governance Expert, ISACA said: “GDPR is an opportunity and it’s a threat, it is an opportunity for the companies that take efficient and well-engineered approaches to solving it, skilling up with things that are available from the ICO, ISACA, IAPP and others, but it is a threat the organisation that is complacent and potentially takes a more dangerous approach to this.”