At the launch of the DataIQ 100 back in March, the Information Commissioner Elizabeth Denham asked me what the industry was feeling about GDPR. It was nine months after the start of enforcement on 25th May 2018 and some seven years since the first draft of the Regulation had leaked.
I told her that many data practitioners were concerned it had become like Y2K - huge effort in advance, little impact afterwards. What worried them was whether they had been making a huge fuss about nothing.
“Tell them to watch this space in the next 90 days,” was her response. It may have taken more like 150 days, but there is no longer any doubt. The hammer has fallen with two hefty blows stuck, first on BA and then on Marriott. While both fines are being contested, there can no longer be any doubt that the risks to companies who breach GDPR are real and the penalties significant.
What has come as a surprise, however, is the direction in which those blows were struck. While the anxieties I played back to Denham had been coming from data governance and compliance professionals, both of these failures occurred around cyber-security.
For a global $1 trillion industry to have let down two major brands so badly in this way is shocking. Cyber-security is a mature area of practice, with well-funded CIOs and CISOs who have status and resource that CDOs can only envy. Best practice and professional standards are very visible, not least at the well-padded conferences which that sector enjoys.
Yet the hacks suffered by BA and Marriott came about through software vulnerabilities that should have been straightforward to identify and remedy before malicious actors exploited them. Neither company did so, resulting in significant volumes of personal data being exposed, including some categories of sensitive data that ought not to have been accessible to the hackers in the first place.
For chief data officers who spent several years working hard on privacy policies, choosing the basis on which personal data would be processed, and ensuring they can respond to subject access requests or data portability rights, this is highly disappointing. It is data protection officers who are in the front line of customer complaints if their data is lost, yet it is the back room cyber-security practitioners who failed in their duties.
If GDPR is to continue to mean anything, then CIOs and CISOs need to get over the self-regard and complacency that seems to have set in. In particular, they need to take on board what CDOs have recognised - it is the data they are protecting that matters, not what is put in place to protect it. A state-of-the-art vault is of no consequence if the gold it is meant to protect has already been swiped.