GDPR needs to bite down on data security culture

Toni Sekinah, research analyst and reports editor, DataIQ

Supervisory authorities enforcing the General Data Protection Regulation (GDPR) from 25th May 2018 will have to use their teeth, severely punishing companies that do not securely handle their users’ data as an incentive to other firms to do so. That was the view shared by participants of a roundtable, chaired by former ethical hacker and cyber-security expert Jason Hart and hosted by security consultancy Axial Systems, which DataIQ attended last week.

Paul Brett, Axial Systems sales manager, said: “I know GDPR has teeth, but those teeth need to be used. They may well have to make some examples early on to demonstrate that this is not just another regulation. There have to be consequences that go with it.”

Those present felt that the “teeth” – monetary penalties of up to €20m or 4% of global group turnover - would have to be issued to any organisation flouting the Regulation as soon as it comes into effect, so that all other organisations recognise the seriousness of the need to protect their users’ data. 

Nathaniel Wallis, security sales specialist at Axial, concurred by saying: “When a fine actually hits, that’s when people start to realise and take notice and spend money on fixing the problem.” Cal Leeming, chief executive of private security firm, Lyons Leeming, also said that GDPR won’t be taken seriously until the big fines kick in.

According to Hart, it is important that the sanctions are used with equal force, regardless of the type or size of company. He felt that this would ensure that no company would assume that it was untouchable with regard to the Regulation. He said: “When those fines do kick in, it needs to be at all types of organisation, not just the blue-chips. It should be at 100-person or 200-person business to show that no-one is exempt.”

The experts unanimously agreed that many companies would not be GDPR-compliant by May 2018. Brett said that many companies are under the mistaken impression that a simple technology solution is enough to be compliant. “A large percentage believe that, because they have some rudimentary technology in place, they are protected. But, obviously, that’s not enough,” he said.

"Certain technology vendors are claiming that they can make their own customers GDPR compliant. That’s a bare-faced lie."

Wallis went as far as to say that some technology solutions providers that are selling a quick fix are behaving disingenuously. “Certain technology vendors are claiming that they can make their own customers GDPR compliant. That’s a bare-faced lie,” he said.

He also said that, with the threat of fines looming, many businesses are contacting Axial in an effort to become GDPR-ready. However, he added that, while half of those companies are “trying to take this seriously,” the other half simply want to do the bare minimum so as not to get fined.

The experts also agreed that information security should not be left just to the IT department. Hart said: “If you’re letting IT do security, it’s like the teacher saying you can mark your own homework.” Wells made the same point in a different way, saying, “you don’t give the people that guard the vault the keys to the vault.” He also said that the job of the IT department is to make sure that systems work efficiently - they don’t understand data because that’s not their job. According to Brett, the reason for this is because “the IT department will naturally be driven by IT priorities.”

The experts did point out that, sometimes when a company does have a person in charge of information security, usually that person will have no power to effect any change or make any decisions. According to Leeming this is a frequent occurrence. “We’re seeing that all the time - decision-makers that actually had no decision-making power, which is a bit bizarre because we didn’t really see that in any other department, other than IT and information security,” he said.

Another issue all the experts agreed on was that not enough C-level executives fully understand the importance of information security and, as a result, it is not embedded in the culture of the company. Hart said: “I don’t think the C-level understands the linkage between data, people and process because, if you’re just dealing with one in isolation, you’re not going to solve the problem.”

To Wallis, the problem could stem from a lack of comprehension: “Sometimes, people who own security don’t necessarily understand how security works or, if they own security, they don’t understand how the business works. So it is a very disconnected operation, especially at board level.”

“GDPR could be the best thing that has happened to this country in a long time.” 

On a positive note, Leeming did say that he has come across some companies that have taken information security very seriously and have adequate measures in place to mitigate the consequences of a data breach, though many of those are located in Silicon Valley. He has only come across two or three companies in the UK that “really have their security nailed.” Leeming said they have done this by embedding security into their culture and working hard at keeping their staff happy and engaged.

Drawing conclusions about what 2018 will mean for data protection and information security, Leeming stated that, provided the regulator follows through, “GDPR could be the best thing that has happened to this country in a long time.”