Don’t be driven by the fines of others

The General Data Protection Regulation (GDPR) was implemented in May last year. Despite a lot of talk around the high level of fines associated with the new legislation, there were not record numbers of penalties issued by the Information Commissioner’s Office (ICO) under the new data protection regime – in fact, just over 90 fines were issued in the following twelve months.

Although fines often get the attention of executives and data protection professionals, financial penalties should not be the main catalyst for an organisation to re-evaluate how it handles data. The real driver of change should be doing the right thing for our customers.

Enforcement notices issued by any regulator, not just the ICO, can be seen as a reference for what organisations should be doing. It is important therefore that as data protection officers we make sure our own organisations are not exposed to risk by thoroughly investigating the regulatory landscape.

Before embarking on any changes to the way an organisation handles data security, it’s vital to carry out a comprehensive audit of how it handles data in the first place. There are several important questions that must be considered, with some of the most prescient being:

What are the privacy and information security risks your board should be made aware of?

• In relation to the products and services you deliver to the market, does your organisation have a clear idea of what personal data it needs, where it is stored and processed and what suppliers are involved?
• Does your organisation have a risk-based supplier assurance approach that includes auditing high risk suppliers?
• Does your organisation have an information security framework in place that is risk-based and explicitly includes personal data?
• For the online products and services you offer, do you have a robust change management approach that ensures changes by third parties are assessed and controlled?

How soon can your organisation run an executive-level exercise to test its incident response plan?

This isn’t an exhaustive list, and it’s essential that your organisation regularly audits and monitors data handling processes to ensure security best practice is adhered to.

Of course, even with thorough preparation in place, it’s important to be ready for the day that something does go wrong. The most common reason given for data breaches is a failure in information security and many of its causes are easily avoided given the right preparation.

Uncontrolled changes to systems or applications, for example, are one of the major reasons for these failures. This can typically be avoided by enforcing robust and consistent change control throughout an organisation, particularly when third parties are being used.

With data protection regulations set to become even more stringent in the future, it’s vital that businesses takes data security seriously. Doing so not only helps to avoid financial penalties and reputational damage that are often associated with a data breach, but can also offer a competitive advantage by demonstrating to customers – and to the broader competition – that data security is a priority.