The May 2018 deadline for the enforcement of the General Data Protection Regulation (GDPR) is only some 6 months away and the commercial market is already showing signs of overheating: conferences, certification offers, tools and the supporting stream of gloomy stories and polls to get the flow of “fear-buying” going.
But is it just a load of hype? In theory, no. Just ask the companies in the UK fined recently by the Information Commissioner’s Office (ICO) for data protection breaches under the current UK Data Protection Act. The DPA is a kitten in comparison to the GDPR lion: in short, it’s serious business.
J.D Wetherspoons, the well-known UK pub chain announced a few weeks ago that they are destroying their customer email database, and ceasing all their email newsletter campaigns. The root cause: a recent data breach suffered by the company, in which over 650,000 email addresses were affected.
It was not revealed what the reason for the breach was, whether a failure in security technology, a missing governance process, insider fraud or just human error. Probably a bit of all of the above is my guess. Regardless of the cause, the business impact is huge both in direct costs as well as indirect reputational damages.
I don’t know yet if Wetherspoons will be warned or fined by the ICO, that depends largely on if they can show acceptable preventive measures in place and record of the right containment measures. In case of a fine under the DPA we are talking ten’s to a few hundred thousand; under GDPR this could be as much as 2% of the company’s gross revenue.
The whole idea behind GDPR is to redefine the way data will need to be collected and processed, handing the power back to the data subject. Every UK and EU organization collecting, holding and processing data from others will be impacted. Even if you have just collected some data with name and address information for marketing or customer care purposes. It is far reaching, not ambiguous and will be in place next year for the EU. Brexit will not be an escape either, neither in the intermediate period nor when executed, since the ICO will adopt a GDPR-like UK equivalent.
Many organizations have underestimated the impact of GDPR and the necessity to act upon it. So logically the industry sees money and throws in training, certification, consultancy and lots of “indispensable” tools.
But wait a minute: am I experiencing a déjà vu here? Didn’t we see the same with Foreign Corrupt Practices Act (FCPA) or when the Sarbanes-Oxley ruling came in place? Where the implicated companies were hounded by auditing firms, consultants and tool vendors to buy “mandatory” tools to address the SOX-compliance demands?
Well if this analogy holds, there is good news. After 15 years of SOX, smart companies have realized that a pragmatic risk based approach, a good governance process and some smart supporting tools will give far better results, both in delivered business value and in cost of ownership, than the first “shock and awe” wave as delivered by the industry.
Yes, for SOX it took 15 years, maybe for GDPR we can apply the lesson learned straight away.
Concentrate on the awareness of what and how data breaches can impact (the risk), take the appropriate measures to prevent (the process), set up the organization and structures to monitor (the governance) and have the cookbook ready when something happens (the plan to act). Oh yes, maybe you need some tools for documenting and monitoring all of this but you may have them in house already for other purposes.
Perhaps I’m an optimist in thinking we will take the SOX-lessons learned to heart for GDPR. Our industry is always thirsty for new FUD topics so at least until May 2018 you will be tempted to buy in to their stories. My advice: if you do so, make sure you opt-in when leaving your data with them!
Thanks for reading…