We discussed GDPR cyber security aspects with Richard Preece, co-author of Managing Cybersecurity Risk – How Directors and Corporate Officers can protect their businesses, and Jean-Christophe Gaillard, a senior executive and team builder with a track-record at driving fundamental change in the security field across global organisations. The two experts share their views on why GDPR can be a catalyst around data security challenges.
Richard Preece is the Founder and Managing Director of DA Resilience, a Cyber Risk and Resilience Consultancy helping businesses to seize the opportunities and reduce the risks in the Digital Age. Following his career in the British Army, he has worked in various consultancy roles across energy, financial services, major sporting events, academic and defence sectors. He is a co-opted member of the core team developing a new British Standard (BS 31111) Cyber Risk and Resilience – Guidance for Boards and Executive Management. Jean-Christophe Gaillard is the Founder and Managing Director of Corix Partners, a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges. Known for looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation, he has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
- What in your view are the key data security challenges in relation to GDPR?
RP: I think it is first a matter of perspective and where you – as an organisation – are in terms of data protection and your approach to security and privacy now. If data protection is already core to your company’s culture, then GDPR is a natural development of it down that path. However, if data protection is a somewhat peripheral task that is delegated to IT and legal, then the first – and perhaps greatest challenge is cultural. You need to build the ability, the clarity of vision and the environment to put privacy and security into core governance, risk management and capability.
JCG: Too many firms seem to be obsessed with the 25th May 2018 deadline, but things are not that simple. On one hand, the regulation is not explicit on many points and will require an amount of legal interpretation which could take years to come. On the other, if you are truly starting from scratch on those matters, you could face a challenge that will take more than 12 months to resolve. The key – in those cases – is to focus on the real term you need, and create true transformational dynamics encompassing all aspects – legal, technical, and organisational. We believe that evidence of real transformational dynamics – across the firm – and the credibility of management backing will be key for the short- to mid-term until the dust settles on all legal and regulatory matters.
- Unlike the 1995 Data Protective Directive, the GDPR puts more emphasis on data security as a guarantee of privacy. To what extent is that a threat, and to what extent an opportunity for European companies?
RP: I think the opportunity comes back to corporate values and culture. There is an increasing demand for privacy or at least more care taken in the protection and use of our personal data. I think GDPR offers a means for companies to demonstrate that they are taking privacy by design seriously and this can be a value based attractor to potential customers. This builds on the need to develop trust in a way that is appropriate for the Digital Age. The danger in not doing this is that especially in the B2C area, there is nearly always an alternative that may be cheaper or better and customers are becoming less sticky to most specific products and services. The reputational damage of a data breach could very quickly turn into an impact upon sales or the need to heavily discount to retain market share. We saw this with the TalkTalk personal data breach in 2015. This combined with the other potential costs – regulatory fines, group action compensation claims, remedial actions – could very quickly turn profit into loss for companies and won’t necessarily be covered by insurance.
JCG: I think the GDPR is the strongest lever in years to drive real action around data privacy and security. It brings a real risk of significant material impact on companies and their Boards of Directors, but there is no magic technology solution. Again, it’s about focusing on all aspects, and it’s particularly hard for larger firms which are used to operating in silos and are very vulnerable to that type of transversal problem: You need to make sure you know the personal data you hold, where it is and who’s doing what with it, but you also need to have the right provisions in contracts, ensure personal data is and remain adequately protected, that you have the ability to detect breaches and report back to your domestic regulator within 72 hours, and that you won’t aggravate things through an uncoordinated or untimely handling of incidents. This is complex and requires skills in a number of different areas, ranging from ethical hacking to PR – not just legal. All that under the Damocles’ sword of fines that could reach tens or hundreds of millions for large groups. So it does create a very different context around security and privacy measures. But it does not make things simpler to execute, in particular for large firms: The 72 hours rule is a good example: Given the fines that you might face, incentives will be much higher to go to your regulator with all the relevant facts, but to achieve that, you will require the right set of processes, staffed with the right people and supported by the right technical platforms (collecting the right data and across the whole estate). That could be very complex – and expensive – for large groups.
- How should companies prepare for the handling of potential data breaches according to the GDPR?
RP: Preparation is essential. This doesn’t mean having some plans sitting on the shelf. It means practicing it in advance, working out where the likely problems will arise; what works and what doesn’t; and who needs to be brought in to help problem solve and manage the situation. There are technical and business/personal impact aspects to this; it requires looking at potential scenarios, rehearsing responses and developing a more agile (emergent) based strategy. This is something the Data Protection Officer (DPO) should be ready to help lead working with the Board, to make sure that there is a genuine capability to act and not simply some un-tested arrangements in place. Failure to prepare makes the likelihood of failure far higher and increases considerably the likelihood of a bad situation turning into a crisis for the Board and the company.
JCG: The role of the DPO is key in all of this. Many firms are rushing to appoint a DPO just to shift the GDPR problem onto them, and this is wrong. You need the right DPO and it could be a complex role to fill. The role of the DPO will be to build a clear plan towards compliance and orchestrate delivery of what could be a complex package of measures. This is a context where roles and responsibilities have to be clear for all the stakeholders, and where the DPO – as an individual – will require the right amount of personal gravitas and credibility in order to get things done. So it could be a genuinely difficult position to fill. In large firms, it is key to appoint an executive with the right degree of seniority and experience across all the areas where change is required – legal, technical, organisational – and ensure that the role is supported by a team of experts (internal and external). In small firms, there may be a single person able to meet all those criteria, but equally it may be sensible to use an external service provider DPO as a service, something the Regulation now allows.
Corix Partners and DA Resilience, together with Next World Capital, Wise Partners in Paris and a number of experts, have analysed the impact the GDPR can have around privacy and security, and are offering a real-life perspective in a white paper which can be downloaded using this link: GDPR: A Catalyst to Drive Real Action around Privacy and Security