The headline to the General Data Protection Regulation (GDPR) has been the fines - “Ever since the first draft was published” - said Mac Macmillan, counsel and data protection at Hogan Lovells International.
Telling not just the appropriate authorities, in this case the Information Commissioner's Office, but the owner of the stolen data becomes a serious duty under the GDPR. As of May 2018, offenders may be subject to fines amounting to four percent of global turnover, or €20,000,000 (£16 million) - whichever is higher.
Those numbers have been putting the fear of god into board members. That, said Macmillan, is “quite useful because it gets the boards attention".Historically, board members and executives have been notoriously tough sells when it comes to toughening up the security stance of an organisation. Where earnest persuasion once failed, "the fine is a useful tool for changing attitudes".
|Naveed Islam, head of information security strategy at Dixon's Carphone talks the intricacies of GDPR compliance|
Macmillan addressed SC's roundtable at central london's Beaumont hotel. Entitled, Ensure you can respond within 72 hours of a breach by acting now, and sponsored by ZoneFox, the roundtable collected a variety of information security professionals to discuss the breach notification requirements of the incoming piece of landmark European regulation.
Firms will have to start thinking hard about how they're going to notify the authorities when that old cliche about ‘those who've been breached and those who don't know they've been breached' rings true.
You don't have to notify the data protection authority every time you've been breached, only in cases where it might result in risk to the rights and freedoms of the individual owner, known as the “data subject”. A breach that ends up causing a case of identity theft on one of its victims might then be a notifiable offence.There are three circumstances in which you will not have to notify the data subjects, added Macmillan: If you take steps to negate the harm of that breach; render the stolen data unintelligible or notification would involve disproportionate effort on the part of the breached entity.
|Matt Little, CTO of ZoneFox, the sponsor of SC's Roundtable|
What the GDPR will require is a change of mindset on the part of the compliant: "When people think about security breaches they're thinking very much externally", the GDPR will account for insiders too. When thinking about the harm to a data subject, firms will have broaden their horizons: "It's not just about financial risks", said Macmillian, "you need to think more widely, and you need to think in terms of context".
The fines might be scary, but Macmillan says the ICO won't be as vindictive as that headline might suggest. Within the data protection watchdog, "there is a recognition of the practical realities of what's going on”, said Macmillan adding that the ICO is"more concerned with you getting it right" than meeting a 72 hour deadline.Expect paperwork to pile high though. Regulators will want to see clear and documented processes and recorded breaches, even when you don't have to report them. The ICO, added Macmillan, “is always interested in 'why did this happen' and 'what are you doing to make sure this doesn't happen again?'
|Thomas Naylor, consultant, Enablement.Tech|
The room thanked Macmillan for her thorough clarification but it soon became clear that regulation can be an obtuse thing.
“How much information do you need to give in 72 hours?” asked Naveed Islam, head of information security strategy at Dixon's Carphone pointing out that, though the GDPR may require you to report within a time limit, it doesn't say much about what exactly you have to report. A full reporting may be hard, if not impossible to do within that short window of time.
It helps, said Thomas Naylor, a consultant at Enablement.tech, to face an incident, “having done the grunt work in advance”. John Culkin, director of information management at Crown Records Management, advanced on the statement, saying “its a good idea, before you have a breach, to know what data is significant." That is to say, to know what your data is, where it is, what kind of data it is and so on.
Data asset audits will be on the minds of many ahead of May 2018. David Higgins a veteran security consultant, remarked "I would not underestimate the amount of work it's going to take organisations to both undertake their data asset review but to develop playbooks and processes”, to respond to these kinds of events. It will be "a year 2000 type mountain of work”, added Higgins.
That ‘mountain of work' might be more of a chance at renewal than a burden: "GDPR is part of a larger opportunity to spring clean", said Olivia Bosch, director of International Security and Communications Ltd. During the Y2K hysteria which, according to some, threatened to throw world civilization into chaos, Bosch told the room, "some of the more enlightened ones saw this as an opportunity."
Trevor Lee, senior vice president of IT at Aveva (NOT Aviva],recalled bluntly, “I didn't see Y2K as an opportunity”. His concern about the GDPR, is its requirement to not only ensure the security of your own organisation, but that of your partners too: "As time goes on you'll have to do a whole lot more analysis of your SaaS (security as a service)."
The problem of data storage location clearly weighed heavily of the panelists minds. The intricacies of the GDPR morph dramatically depending on where, and to whom they occur.
While the GDPR puts responsibility on the data processor, which could be a SaaS or a cloud provider, to secure itself, the ultimate weight still lies on the controller. Controllers will have to make sure third party services which process their data are compliant.
|John Culkin, director of information management, Crown Records Management
But, said Culkin, “how far do you go down your supply chain?” An individual company may use any number of third party services, all of whom could be a potential chink in the armour when it comes to defence. To what extent do companies have a right to dictate the risk appetite of another even if they do work together? Then again, added Lee, “should they be able to sell you a service that's not compliant?”
"One's person's ‘good enough' is nowhere near close enough for somebody else", said Matt Little, CTO of ZoneFox, our sponsor for the day.
The question of third parties extends beyond breaches from outside. Its often a case of “not only who has got your data”, said Higgins, “but where is it this week?”
If a third party processor moves your data as a controller, could that count as a breach? asked Islam: "If a SaaS provider moves your data (from a country compliant with GDPR rules to one which is not) but they don't make you aware, how does that work from a regulatory perspective"? Macmillan told the room, that thankfully, if a processor were to go off the reservation, the controller's back is covered. In such a case, the processor that made that decision without telling their controller would assume the liability of a controller and be subject to any fines, possibly on the higher four percent scale, that it incurred.
The GDPR, added Macmillan is not about making sure you don't get breached:"Your responsibility is to have appropriate technical and organisational measures in place, it's not to make sure you don't get hacked." It's about “moving from reactive to proactive” and making sure organisations have installed the correct measures to protect their data. To that end, training is critical considering in the “the majority of breaches, we know there is some human involvement somewhere.” Regulators will take notice of things like that, evidenced by several recent ICO decisions which noted the lack of training on the part of offending bodies.
So what happens after May 2018? "It will be really interesting to see how organisations' posture changes in response to this”, said Higgins. “I can see some big organisations saying 'everything is a security incident'”.
There is the possibility that people will be overly focused on the regulation: "GDPR is another little box that's getting an awful lot of attention that's part of a larger picture", said Lee, "I wouldn't want to spend all the money there".
That said, added Lee, "I'm embracing that shift from security being an IT responsibility to this being a risk management process because it gives an opportunity to get more people involved."
This is a "good opportunity to get departments to talk to each other", added Culkin: "Everyone forgets the rights that people are getting". More, he said, “needs to be made of the positives.”
"The FUD (Fear, Uncertainty and Doubt) element of this only lasts so long", said Islam. FUD however suffers from diminishing returns, as does the scare effect of the fines. GDPR compliance, he added, "is now just good corporate responsibility."
"The people who are making it work for them are doing it across the organisation; they're involving everybody,” Macmillan said as she concluded the roundtable, “I wouldn't go so far as to call it an opportunity but you have to make GDPR work for you."