It’s surprising how little the General Data Protection Regulation (GDPR) has been discussed by chief information security officers (CISOs) during the past year.
Many feared that monumental fines would cripple companies and make examples of transgressors. But they have not happened. Despite a steady flow of headline-grabbing breaches, there are a couple of simple reasons for GDPR not living up to the hype.
The first is that the UK Information Commissioner’s Office (ICO) planned a 40% staff increase to cope with the new responsibilities. When the teams are up to strength then perhaps there will be more activity.
Second, recent breaches have been dealt with under previous legislation that was relevant at the time the incident happened. In other words, a non-retrospective approach has been adopted for enforcement. As an example, Equifax was fined in September 2018. However, this penalty was under section 55A of the Data Protection Act 1998 as the incident occurred in 2017. This will change as incidents occur post-GDPR.
Third, for many CISOs GDPR is simply another layer of compliance. Managing compliance is one of the major tasks for any CISO – many spend up to 70% of their time on it. For most, GDPR was an overlay onto existing requirements such as the Data Protection Act. Keep in mind that much of the responsibility for GDPR does not fall on the CISO; the data protection officer must monitor compliance and liaise with the supervisory authority.
CISOs were busy pre-GDPR
From the CISO perspective, much of the work for GDPR was done before the regulations came into effect. However, security is a constant journey, especially as organisations transform their digital structure through the adoption of new technologies.
This helps smaller organisations achieve compliance as, for example, cloud providers will deliver some of the controls required.
One interesting point is that there have been no headline-recorded enforcement notices issued against organisations that failed to report a breach within 72 hours. This was always going to be a tricky requirement for the CISO to fulfil. When did the breach occur? When was the breach activity first seen and confirmed it was not a false positive? Other aspects such as responses to a Subject Access Request have yet to be tested.
First anniversary of GDPR: Politicisation of data privacy
For the future, one major change and area of risk for CISOs is the increasing politicisation of the issue of data and of privacy. Privacy has been a topic of legislation for decades but always had different national interpretations. GDPR was seen as a way of standardising matters which, although it caused a lot of work in the short term, politicians globally now have a standard to follow as a basis for their own regulation.
A CISO of a global organisation must deal with multiple sets of privacy legislation in the same way a CISO in a global financial organisation must follow different banking regulations in every jurisdiction.
There are growing discussions about the power and value of data. In Germany the leader of the Social Democratic Party has campaigned for a “Data for Everyone” law, making data of big technology companies, such as Google and Amazon, publicly available. The importance of data will continue to increase along with the demand to protect it – creating more pressure on CISOs.
Remember the words in the preamble to the GDPR: “The processing of personal data should be designed to serve mankind.”
Read more: GDPR one year on — what has changed?