Listen Chris Paton explain why businesses and organisation need to start taking GDPR seriously:
The GDPR (General Data Protection Regulations) that come into effect in May 2018 will have significant consequences for every organisation and companies who gather and hold personal data. Organisations will need to put in place particular processes and measures to ensure the data they collect and hold is protected and only used in specific ways.
The regulations have impacts across multiple organisation departments including Marketing, IT, HR, Sales, Supply Chain, Operations, Legal & Data Privacy, EPMO (Enterprise Project Management Office), Enterprise Architect and Compliance.
Here at Quirk Solutions we have developed a special GDPR Wargaming offering following demand from clients of ours to help them ensure they are in an optimum position for May 2018, that they are focusing on the right things over the coming months and to help them assess the major risks their company faces and identify loopholes and possible failure points.
Listen to the podcast:
Full Podcast Transcript can be found here:
Hello folks, today we are going to be talking about GDPR, the General Data Protection Regulations that are due to come in in May 2018. These are the next step in data protection for clients, for employees and a range of different factors within your organisations. And, if you like, you can consider them as a step on from the U.K.’s Data Protection Act. And the GDPR regulations will still be enforced by the Information Commissioner or ICO.
In essence, it’s similar to the Data Protection Act but it starts to go a little bit deeper in the definition of what is personal data. So, things like people’s IP addresses, for example, could be used. And the implications that there are within an organisation are quite widespread because you obviously have them for HR, within your own employment structures, and for your employees. There are also issues around client’s and client lists, around marketing. There are certain limitations within GDPR about how you go about contacting those marketing lists and what you can send out without people actually opting in for them which is subtly different from you having an unsubscribe button at the bottom of your newsletters and information that you send out. There are also implications for suppliers and supplier data, as well as compliance and assurance. So, it’s a really broad range of things and I think that’s the first thing that we need to get our heads around really that for all organisations this is not about it being an HR issue or it being an IT issue. It’s an organisation wide issue that needs to be dealt with in a holistic manner.
Does GDPR affect our business?
There is actually a worrying lack of awareness out about it. In May of this year, it was widely reported that 84% of small business owners and 43% of senior executives in large businesses were unaware of GDPR and the fact that it is coming in, in May next year. And this is unavoidable. We might well be within the UK looking to leave the EU as part of Brexit at some point in the future, time still TBC according to the government but this legislation will come in place in May, way before Brexit actually happens. Secondly, the ICO has already publicly declared that even when Brexit occurs it intends to bring in something into national UK law that is similar to GDPR. So we need to get ourselves ready for this and we need to get ourselves ready for it right now.
The regulations within GDPR, if I’m very honest, are frankly a bit woolly. They are pretty difficult to interpret unless you have been involved in this thing for a very long time and I haven’t, so I have taken external advice on this. If you simply search “Data breach 2017” on the Internet you come up with a whole range of worrying facts and dates and incidents that have occurred. Just a few examples, on 1 October this year Pizza Hut lost a whole bunch of customer data including billing addresses and full payment card details. So those could have been used and put together to create all sorts of problems in terms of identity theft. In September Deloitte suffered a cyber-attack in which client data and confidential emails with private plans were stolen. In July of this year, probably the biggest one of the year actually and the most significant was a breach at Equifax with full personal data in terms of names, Social Security numbers, dates of birth, and home addresses were leaked for over 143 million customers within the US and the credit card details of 209,000 people were breached as well as 400,000 people being affected within the UK.
What level of fines can be expected under GDPR?
So I suppose the thing we’ve got to get our heads around really with this is that GDPR is something that we should be doing anyway because cyber-attacks and hacking and trying to have theft through the Internet is something that is going to become increasingly prevalent if it is not already prevalent. And so, protecting ourselves from that just makes sense. Not least being compliant with GDPR. GDPR just drives it as a greater imperative because of some of the financial fine associated with it. The fines that can be expected now for a minor infraction under GDPR are up to 2% of turnover or up to £10 million. And for a major infraction, it’s up to 4% of turnover or £20 million. So doing nothing is not an option really. When you start to take those factors into account it starts to become more interesting and a bit more influential.
According to research done by the NCC group fines will increase dramatically under GDPR, compared to those under the Data Protection Act at the moment. For example, Pharmacy2You was fined £130,000 for a data breach incident. Under GDPR, the NCC group assessed that fine would increase to £4.4 million. That is a vast, vast difference. And the Talk Talk breach that occurred in 2016 where they were fined £400,000 could increase up to the maximum of £20 million or even further. So this is a serious issue that needs to be taken seriously by all leaders in all organisations and getting themselves right. And not just for the protection of their employees and clients but for the protection of their businesses themselves. Because if you start to run into having a £4.4 million fine as a moderate to small business then it is going to be terminal for that business.
How can I prepare for GDPR?
So what can we do about it? Well, the first thing that some people are doing is nothing. They are simply sitting there and saying, “Well, let’s wait and see how this pans out”. I’m going to wait to see what happens because I’m sort of trusting in my own ability and my own protection that I have in place and I think we are broadly pretty good at data protection. The other end of the spectrum is to get in a highly specialised client or a highly specialised supplier who is going to be crawling all over you in terms of your GDPR compliance and making sure where you are and aren’t compliant, at a significant cost.
So, what we are trying to look at here and what we’ve developed is a GDPR-specific wargame. We’ve gone out and found lawyers, we’ve found data protection specialists, we’ve found cyber specialists and we are using those people as part of our red team to help test businesses resilience for GDPR. And in that, what they are able to do is, if you like, dip a toe into the water and find out how far they are on or off the curve of preparedness for next May. So instead of doing nothing and just thinking well we’re fine, it’s a case of well no, let’s really check. Let’s put ourselves under a bit of pressure and work out where we aren’t fine or where there may be loopholes or issues that we need to worry about. It also allows people to work out how much they need to do between now and next May.
So it can be done either internally, within the organisation itself using the organisations own people or you can bring in some of the external expertise that we’ve recruited to sit there as that red team panel on the other side of the fence. The one thing that a wargame allows you to do besides just simply checking how far you’re on or off the pace in terms of GDPR is work with behavioural change and understanding. By bringing people into the room, by getting them involved, by exposing them to what’s going on and helping them to understand what GDPR is then you start to drive the behaviours that are so important to it, in terms of respecting policies and procedures are in place to protect the organisation from cyber-attacks, which can only be a good thing at the end of the day.
So, I would urge everybody out there regardless of where you are to become aware of GDPR. It is a European legislation but it affects any organisation that has operations in the European sphere. So it could be a US organisation which has an EU arm or operations within the EU. It’s going to affect the UK whether or not we are in or out of the EU and obviously all other European countries. So it is a significant event that is coming up and we really need to get prepared for it. And my organisation is certainly taking steps to make sure that we are and I think that everybody else should too.