Every vendor at InfoSecurity Europe 2017 seems to have an angle on the General Data Protection Regulation (GDPR), and many of them are heavily promoting consultancy services and other products aimed at helping organisations achieve compliance.
However, with so many vendors pushing different angles, it is a challenge to know who to listen to.
Many surveys and statistics claim that few are ready for, prepared or preparing for GDPR, and maybe that's because at first glance, GDPR compliance looks like an insurmountable task – an impression that is only reinforced by the fact that even the ICO is yet to publish final guidance on certain aspects of it.
The good news is – and many data protection pundits agree – if you're doing the eight data protection principles correctly right now, you're definitely in good stead for GDPR compliance, as it shows you're proactively thinking about the problem.
That's the point of the GDPR: a change in mindset, encouraging a company structure which has “privacy by design” and puts data protection first.
In a way, it's a good thing there are so many vendors wanting to advise companies how to become GDPR compliant. The UK's Information Commissioner's' Office (UK ICO) as a government entity would presumably never have the resources to speak to companies on an individual level and issue advice on how to achieve compliance.
Peter Brown, a senior technology officer from the ICO, told a packed out keynote theatre at InfoSec on Wednesday afternoon that with less than a year to go until the GDPR's honeymoon period is over, that the issue isn't a “carrot and stick” one.
Yes, you can use the GDPR as a way to get sway with your board directors if you wish, such as highlighting the risks of damaged reputations and a hefty fine, but he urged people to think of it in more positive terms, and the opportunities available for those who it well.
Brown told the audience to think of the reputation gained if a company can say it is fully compliant and is proactive in protecting its customers' information.
Of course, he had some stats to hand: 70 percent of people don't trust companies who aren't good at keep information safe, 20 percent would stop doing business with them if they had a data breach and 14 percent think they have control of their data.
Brown said: “It's not about the fines, it's about doing things right. The GDPR is a 21st century bit of legislation and we should react accordingly by adjusting our behaviour and mindset towards data.”
Sadly, he adds, “Even today there is a low rate of compliance with the Data Protection Act.”
So where should we be? “It depends,” said Brown. It varies from organisation to organisation due to size, requirements and resources available to the departments dealing with GDPR.
The ICO has published a twelve-step guide to compliance which Brown says is a good starting point. The steps discuss breach notifications, consent (implied or otherwise), data protection officers, privacy notices and much more.
Brown highlighted that SMEs are required to abide by the GDPR, and everyone from SME up to enterprise should try out the GDPR assessment toolkit to get a rough idea of where they are at in the journey.
It can seem daunting but as Brown said in his conclusion, “If you aren't busy, you should be.”