- Security TWENTY
- Women in Security
One year on since the GDPR came into force and there are a number of key trends and challenges emerging. As the ICO (Information Commissioner’s Office) gets tougher on enforcement and Data Subjects become more aware of their rights under GDPR, it’s clear that organisations need to put data privacy and cybersecurity at the top of their agenda and start to think about it in terms of privacy by design and by default, writes Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance.
Key factors in achieving this will be embedding a culture of privacy which is embraced by everyone in an organisation and is at the heart of that organisation’s operations. The road to achieving effective privacy by design is not without its challenges. We’ve pulled together some of the key trends and common issues from the past year.
With the enactment of the GDPR it was clear there would be a high demand for experienced Data Protection and Data Privacy Officers. A talent gap of people with the right skill set and with the ability to act at board level is emerging. Cost and scarcity of experienced professionals is an issue for many organisations. The full picture is still emerging, but we are seeing some organisations appointing internally and asking for support while they up-skill, others outsourcing their entire data privacy function and those organisations that can afford it paying premium rates for highly experienced professionals
Reportable vs non-reportable breaches
In line with what the ICO is saying many organisations do not know how to differentiate between breaches that should be reported to the ICO, and those that shouldn’t. In a speech to the CBI Cyber Security Insight Conference last September, the Deputy Information Commissioner, James Dipple-Johnstone, said that many organisations are over reporting in order to be transparent, to manage the perceived risk or because they think everything needs to be reported. As a result, the ICO has been inundated with breach reports – up to 500 calls a week between May and September last year alone.
With the ICO’s resources at full stretch it means they are not yet able to turn their full attention to assessing reported breaches or issuing enforcement notices/penalties. However, organisations should be under no illusions that a lack of action is a sign of weakness from the ICO. It is still maintaining a record of reported incidents and is very clear on what organisations should be doing. As the Deputy Information Commissioner stated: “If you adopt privacy by design, treat cybersecurity as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers’ data, then we will not usually have an issue with you should the worst happen.”
The UK picture on data breaches is reflected elsewhere in Europe. From 25 May 2018 until 28 January 2019 (International Data Protection Day) there were almost 60,000 reported data breaches across member states with The Netherlands topping the chart with 89.8 breach notifications per 100,000 people. Ireland was in second place with 74.9, Denmark third with 53.3. The UK managed tenth place with 16.6. (Digital Guardian, February 2019). Incidentally this is our best position in a Eurovision type ranking since 2009 when Jade Ewen came 5th with, “It’s my time.” Lichtenstein recorded a total of 15 breaches in total, not quite “nil points”.
Many organisations say that they can’t account for human error, such as when personal data is sent to the wrong email recipient, for example by the incorrect use of CC and BCC. However, balancing the right to privacy against the convenience of autofill on email addresses is something that can mitigate the amount of errors within a big organisation.
The big fines we expected this year may be a little slow to arrive, but the ICO has been busy ensuring organisations pay their data protection register fee. In 2018, 103 penalties were issued for non-payment of the registration fee, amounting to what could be a significant financial penalty for a small to medium business, and a cause of reputational impact as the ICO publishes these:
85 organisations received a fine of £400
2 organisations were fined £600
16 organisations were fined £4000
(Source: ICO website)
A key driver behind the GDPR was to give individuals more control over their data. Increased awareness of the GDPR and their rights means more and more people are exercising their rights under the GDPR. Since May 25, 2018, we have been contacted by scores of organisations needing help to deal with DSARs (data subject access requests), as well as ensuring that they are in a position to address other data subject rights. Failing to address DSAR’s can expose other weakness within an organisation, not least the requirement for a record of processing activities.
The ICO will always want to know what training an organisation has given to individual members of staff, including Senior Information Risk Owners and Asset Owners. Training staff is key to ongoing compliance and gives confidence to customers that the protection of their data is being taken seriously.