We spoke to Mike Zammit from Digital Change Agents about how the General Data Protection Regulation – GDPR and cybersecurity go hand in hand.
What is the GDPR? Give us a brief introduction.
GDPR is a replacement for the current Data Protection Act (DPA), which is over 20 years old. It dates from a time when we didn’t have social media, and didn’t use the internet the way we do today, i.e. living every moment of our lives online − at work and at home.
The idea of the new legislation is to make the law fit for purpose in the digital age, and to help protect against data breaches and the misuse of personal data. Any company that fails to meet its requirements could face fines up to €20 million or 4% of annual global turnover.
What has driven the EU’s decision?
There are two reasons. In 1995, the EU wanted all member states to put a data protection law in place that would also make it simpler to share information across borders, so that it was easier to do business online. However, because the European Commission issued a directive and not a regulation it meant that each member nation had to create and implement their own laws. This led to each member state having its own interpretation of the directive, which created the opposite effect. Instead of making it simpler, they made it more difficult for businesses to share data across borders.
More than ever before, businesses are responsible for protecting their customers’ data.
Mike Zammit, Digital Change Agents
Secondly, something needed to be done to strengthen citizens’ rights after several high-profile breaches, such as those suffered by Sony and Talk Talk. Vast amounts of information were stolen by cybercriminals who hacked into the systems of these companies. In the case of Talk Talk, 21,000 customers’ records were compromised. To protect citizens from these attacks, it was decided to give them more control over their own personal data, what companies can do with it, how long they hold onto it and what they do with it when they no longer need it.
More than ever before, businesses are responsible for protecting their customers’ data and keeping it out of the hands of cybercriminals. With the possibility of huge fines to punish those that don’t do enough, all businesses must have robust technical and procedural security measures.
What is the reaction of businesses that now need to strengthen their cybersecurity due to the GDPR?
In general, businesses of all sizes − large, medium and small − are still somewhat complacent. Some organisations are not taking it seriously. The latest reports suggest that approximately 60% of businesses are not ready for the GDPR. Most seem to hope that a cyberattack won’t happen to them, or if it already has that it won’t happen again.
What do you think the solution is?
To become GDPR-compliant, and to be serious about cybersecurity, requires buy-in from the highest level of organisations. Technology is only part of the solution.
Technology provides the tools to help people become compliant. There are human problems. What we need is a change of mindset, where chief executives and their boards of directors take GDPR and cybersecurity seriously.
Breaches are often preventable, because most are caused by human error − employees being careless or not knowing the right procedures. I have seen instances of people leaving laptops on the train, phones falling out of pockets, and even people moving offices and leaving cabinets full of sensitive information. If these devices or cabinets fall into the wrong hands, i.e.
someone with malicious intent and the ability to hack into them, then the consequences can be dire.
Is the situation getting better?
We are seeing a gradual increase in people taking notice. However, crucially, it’s not getting to the very top − it’s not reaching decisions makers.
I present at a lot of GDPR awareness days, where we outline the requirements of GDPR, the threat of cybersecurity and why businesses need to get on top of both before it’s too late. I have noticed that there are more directors turning up these days, but I have never seen a chief executive at an event and I’ve never been asked to discuss GDPR by a chief executive. The chief executive of an organisation can really make a difference, as the best transformation is always lead from the top; if the boss says ‘do it’, ‘it’ usually gets done.
If you had a chief executive in front of you now, what advice would you give them?
First, it’s important to understand that this isn’t something that will go away. GDPR is happening, so you may as well get on top of it today. Likewise, cybercriminals are targeting businesses of all sizes; now is the time to improve security. When a cyberattack occurs, if you have not done enough to protect your customers’ data, you could be subject to a large fine, from which your business may not be able to bounce back.
Second, the GDPR and cybersecurity should be seen as a business opportunity not a cost. It’s an opportunity for companies to stand up and build trust, to show that they are good corporate citizens and have a social conscience.
For further information on the GDPR take a look at the Information Commissioners Office website.
Mike Zammit is a professional consultant and focuses on helping organisations improve performance and derive significant business benefit by implementing appropriate technology solutions. Mike Zammit can help direct your business through GDPR compliance.