[BreachExchange] A GDPR storm is coming – are you prepared?

Destry Winant destry at riskbasedsecurity.com
Mon Oct 22 10:21:20 EDT 2018


Cast your mind back to early 2018. The world was alive with the sound
of GDPRcommentary. In the run up to the May compliance deadline
everything was up for debate. Would it spell the end of marketing as
we know it? Was anyone actually compliant? Was it good news or bad
news for businesses? And, getting the most air time – would GDPR be a
damp squib like the Cookie Directive?

If you were of the opinion GDPR was a lot of hot air, the intervening
months may feel like vindication. GDPR has largely gone off the agenda
of most media publications and with it the minds of many business
owners. However, we’re merely in the eye of the storm. In the last few
weeks Facebook, and now Twitter, have been squarely in the crosshairs
of regulators for allegedly failing to comply with GDPR. The EU has
issued a stark warning that big fines will be handed down before the
end of the year. Similarly, the ICO has ramped up its warnings that
major action is likely to be taken. Added to this momentum has been a
seemingly endless series of high-profile data breaches with Google+
the latest casualty.

For business owners who put their GDPR compliance on the backburner
since May, the warnings could not be clearer: If you aren’t GDPR
compliant you’re likely to be in some serious trouble in the next few

Facebook has quickly become the poster boy for poor data governance
procedures. Cambridge Analytica, data breaches, and GDPR failures have
all come in quick succession and provide a case study for businesses
on how not to collect and manage data. While it may be tempting to
revel in some schadenfreude, a better approach is to see what every
business can learn from Facebook and how they can protect themselves
from the expected GDPR storm.

Kryptonite for data management

First, it should go without saying that financial organisations hold
some of the most sensitive personal data. Thankfully, the most
important data linked to account information has largely been well
protected. However, having high security standards around bank
accounts can breed complacency especially when you consider it’s not
the only information the average financial company holds. The
marketing, customer service and sales departments will all, usually,
have their own customer databases which may be subject to vastly
different security and governance standards. A breach related to any
of this data could be fatal to a financial organisation and result in
hefty GDPR fines.

General complacency is kryptonite for data management and protection.
For Facebook, its complacency manifested itself in lax standards,
questionable practices and a belief it would never be brought to
account. For financial organisations, it can lead to blind spots
related to data that is deemed less ‘sensitive’. Often, to enable
smooth marketing, client management and sales operations, customer
data is more readily accessible than financial information, shared
with more parties, updated more frequently and inputted into more
platforms. Each of these processes increases risk. Compounding this
issue is a general lack of education related to the power of this data
to do harm. Many would ask, what use is an email address to a hacker?
The short answer is, a lot. This is why GDPR seeks to protect every
piece of personal data.

If you’ve got to this point in this article and you’re beginning to
feel some doubt surrounding your data practices – good. Now is the
perfect time to audit and review all your data processes and security
standards. The baseline should be – is everything GDPR compliant? If
it was in May – is it still compliant? New technology, teams and
initiatives can all impact your data processes and result in

A culture that personal data

If you avoided all of this in the faint hope that GDPR wasn’t going to
be an issue, you need to get on it immediately. In this instance,
buying in technology and availing yourself of the services of
specialist consultants will be the fastest (but not the cheapest)

Next, what is the general understanding of your staff? All the
procedures and technological safeguards will mean nothing if your
colleagues do not understand what GDPR is and the danger of data
breaches. Undertaking company wide training regularly and
incorporating data management expertise and ethics into staff
development and assessment can be a powerful way to measure and
improve education.

Finally, if the worst happens and there’s a breach – are you prepared?
Time and again we see that a poorly handled response to the data
breach generally do more damage than the breach itself. Again – I’ll
point to Facebook and its slow, incomplete and unsatisfactory
responses to each and every data issue it has encountered.

Slow responses are symptomatic of a failure to have the right
procedures in place. This can be because there is no technology or
expertise available to identify the breach in the first instance or
the right people are not empowered to make quick decisions. You need
to start from the position that any breach, no matter how minor it
appears, is serious. It should be reported to a specialist team led by
the CEO. Within that team should be the IT lead, marketing, customer
service and legal. Consumers should be informed as quickly as
possible, both to be GDPR compliant, and to reassure. The business
needs to identify who is impacted, how, what went wrong, how it can be
fixed and how consumers will be protected in the future. The faster
these boxes are ticked and communicated the better the end result –
especially if the ICO gets involved. As with anything, practice makes
perfect. Conducting wargames and drawing up ideal responses and
contingencies with this team could make all the difference.

We now live in a world where the reputation and future of a company
can be destroyed by hacks and data breaches. Organisations are
generally to blame for this environment. There has long been a culture
that personal data is a commodity that businesses can deal with as
they wish. Now the wheel has turned. If you’re one of the many
business owners that still believes that data governance is just
something for the IT department to worry about – you’re going to be in
for a big surprise. By the end of the year, a number of large
businesses will be hit with near-fatal fines as a warning to other
companies. Acting now will ensure that your company is not one of
these cautionary tales.

More information about the BreachExchange mailing list