Today is the day many organizations around the world have been preparing for. As GDPR becomes enforceable, we sat down with Jerry Caponera, VP Cyber Risk Strategy, Nehemiah Security, to talk about this important regulation and its wide-ranging impact.
What are the most common misconceptions about the GDPR?
I think one of the biggest misconceptions about GDPR is that companies have to be “done” by May 25th or the fines will start rolling on May 26th. The reality is that being compliant with GDPR is an on-going process, not a “one time” checklist. Fines will be levied on companies who are completely lackadaisical in protecting data, but I’d expect the commission to work with companies before levying large fines on companies. GDPR is about data protection but also contains guidelines to follow, which affect how the commission will review any data breaches.
The other big misconception is that GDPR is forcing companies to think about something new. Legislation in the EU and UK to protect data has been around years before GDPR. What’s new in GDPR is the potential size of the fine and the fact that it can affect non-EU companies. Getting companies to think seriously about how they protect data has been an ongoing effort for many years.
How do you expect the GDPR to impact organizations worldwide? What should boardrooms be most worried about?
Thomas Friedman wrote a book called “The World is Flat”. If I were in a boardroom right now, that would worry me the most. Companies outside the US can be fined under GDPR regulations if they have the data of EU citizens and it’s misused. While companies in Europe are prepared, a manufacturing company in the Midwestern United States who doesn’t think they do business with the EU might want to check their suppliers and partners to be sure.
It’s interesting, most organizations have some understanding that they are at risk to cyber-attacks. I read a recent report of over 400 CEOs who said that cyber risk was their number one risk as an organization, and yet only 26 percent of those CEOs thought they were prepared. And so that in and of itself helps to set this kind of baseline for where the industry is today. If organizations believe cyber is their biggest risk, yet they don’t know if they’re prepared for it, we’re not doing something correct.
Another thing boardrooms need to worry about is how diligently they’re taking cyber security for the organization. The commission responsible for levying fines related to GDPR will take into account and measure the degree, both technical and process, that companies take to prevent (and remediate) breaches. The old adage “an ounce of prevention is worth a pound of cure” is an apt analogy to how boards should be preparing for GDPR. Companies that haven’t prepared or can’t show diligence, will be at risk for a much larger fine than those that are prepared.
I also believe that GDPR is just starting to scratch the surface of where these kinds of regulations are going. Over the last few years, cyber has really started to make the leap from technical to business because of the money involved. Take the Verizon/Yahoo deal for example, the disclosure of a breach knocked that price way down – over the next three to five years, more is coming in terms of forcing organizations to prioritize their material risks.
Given the increasing complexity of the compliance landscape, and the rising importance of privacy, should more large organizations hire a Chief Privacy Officer?
I’m seeing more and more companies realize that in the digital age, one of their most important assets is data. Understanding what data you have, where it’s stored, how it’s used, and what regulations apply to it is a full time, and ever changing job. I think an apt title for someone who handles the complex compliance landscape would be a Chief Data Officer, and I’m seeing more companies adopt those as regulations grow.
One of the unwritten objectives of a Chief Privacy / Data Officer is to maintain the “trust” consumers have that their data is being well protected. For that trust to be maintained, Chief Privacy / Data Officers need to be empowered to change culture before a breach, not be the face of a company post-breach. Companies should consider hiring for this role but also understand that if they don’t empower the privacy officer to change the corporate culture, they might not get the benefit they’re seeking.
Research after research shows a great deal of organizations are not going to be prepared for the GDPR when it comes into effect. What advice would you give to all of those scrambling to become compliant?
Compliance with GDPR will take time, and is certainly not a one-time thing. The best thing companies can do is to continue to take their compliance seriously, and to document the efforts they are taking. The second thing they can – and should – do is realize that this effort doesn’t end on May 26th. Compliance will be a continual effort and while a company might be in compliance for a while, they should continue to steward EU data (and all data for that matter) with diligence.
Companies struggling with preparation should take a step back and first identify what data they might have that applies to GDPR regulations. The second step is to identify where that data is stored in the organization, and who might have access to it. Start with a simple understanding of what, do a business inventory, do an inventory and the business processes that matter most and figure out those applications that power them. Create a map of the data, it’s location, and then access rights. From there, the company can work to prioritize where to start better securing their data which will help as it shows diligence in securing data (a key factor the commission will look at if a data breach occurs).
You can do business continuity planning, or a business impact analysis; those are things that organizations have done, and are two great ways to start thinking about how you build that inventory of what you have. I would suggest that companies start getting their house in order, because there is increased regulation coming, fines will start to come, and the only way you’re going to be ready is to prepare business mappings to the technologies that support them.
What’s your take on the GDPR fines structure? Are they severe enough to make organizations take this seriously?
I’m probably one of the handful of people who say I’m grateful for what the European Union did with GDPR. Not normally being a guy who’s big on compliance, the thing I love most about GDPR is they put dollar values into their fines, they put teeth into that. I think the GDPR fine structure is a great first step in helping companies realize that data security is a business problem and not a technical one. There are no limits on the fines GDPR imposes, which means companies could – purely in theory – lose 100% of their turnover on an annual basis.
Think of 4 percent of your revenue, that could be a really big number and that’s what a fine from GDPR could land a company. It’s a great way to get companies thinking along the lines of, if I don’t do something there’s a real fine with real dollar values. What the SEC did recently was release some guidance which was good, but it’s kind of ‘the crawl’ as I like to call it. It’s mostly just guidelines, but did not take repercussions as far as GDPR went. The SEC is basically telling organizations that they need to start reporting on what their material cyber security risks are, which is kind of a lightweight first step of helping companies think about risk from that perspective.
I’d love to see the US get into a GDPR-like situation. Take the best of GDPR, evolve it as we learn more and see how the first stages of having GDPR implemented goes, and get to the point where companies need to start not only disclosing what those risks are in dollars and cents, but know that they’re going to get fined if they don’t do something to prevent it.
The interesting thing to watch will be how the commission that determines fines handles the first few cases. I don’t believe they will come out too strong or hard on small and medium businesses, but I think we could expect some large fines for bigger companies. It’ll be important to convey the seriousness of data security by making examples of a few companies early on after May 25th.
At the end of the day, if we can do nothing but help companies start to think about cyber from a business perspective and not just a technical one, we’ll have done well, we really will.