The General Data Protection Regulation (GDPR), which comes into effect on May 25th, is good news for individuals as it will significantly strengthen their rights when it comes to their personal data. It requires organisations and businesses to be upfront about how they are using and protecting personal data, and to be able to demonstrate accountability for their data-processing activities.
And it comes with some pretty eye-watering penalties for breaches – fines of up to €20 million or 4 per cent of worldwide turnover. Unsurprisingly, therefore, the advent of the new regulation has served to sharpen the focus on cyber security among organisations concerned about the consequences of a data breach.
This should be seen as an opportunity rather than an obligation, according to Three Ireland head of business products, marketing and operations Nicola Mortimer. “Preparing for GDPR offers an opportunity for organisations to refine their security and data policies,” she says. “It’s a very good place to start transforming cyber security measures and it’s a good time to set your house in order. The regulation requires you to know what data you are protecting and to be able to notify the Data Protection Commissioner within 72 hours of a breach. This will help companies become more secure.”
Peter Oakes of Fintech Ireland agrees it will bring benefits. “It’s still a really ugly piece of text to read but there are benefits that can come out of it in terms of the bottom line and the revenue line if it’s done properly,” he says. “It can help drive a cultural shift in organisations to become more data-safety-aware.”
GDPR is a hot topic at the moment and that’s no bad thing, says Tony Hughes, associate director, risk consulting, with KPMG. He describes GDPR’s underlying principles of privacy by design and security by design as conjoined twins which are inseparable. “There is very little point of doing one if you are not doing the other. This is the bedrock of GDPR. Organisations have to look at what they are doing with cyber security that works for GDPR as well. GDPR is a great opportunity for organisations to take a look at cyber security and gain an understanding of what assets they have, both physical and data.”
Compared to oil
He notes that personal information has been compared to oil, such is its value, and this is naturally attractive to cyber criminals. The question comes down to how to protect it from them. “Is trying to keep everyone and everything out the way to go?” he asks. “The experts talk a lot about fruit and vegetables in this regard. There is the coconut approach, which protects everything inside a hard shell. Then there is the onion, where people get bored peeling the layers of skin. And then there is the avocado, where you just protect what lies at the heart of the matter. GDPR offers the opportunity to look at the data you hold and decide on the best way to protect it.”
He doesn’t perceive GDPR as a problem for organisations. “It’s good time to get clarity and to establish what’s important. You’ve got to know what you have. If you can’t show people what data you have been holding on them you are not going to be able to mitigate the fine in the event of a breach. The GDPR should help organisations become more secure.”
Peter Oakes points to another area which some people may have overlooked. In the burgeoning fintech space, there is an increasing number of applications which are transmitting people’s personal and banking details between different organisations. “When a customer is uploading information it’s not just where and how it’s stored and used that matters, it’s at the point of transmission that it must be safe and secure,” he says. “I’m not sure if I would be comfortable that this is the case with all the applications out there.” Perhaps GDPR will address this issue as well.