Full houses at BH Consulting’s Countdown to GDPR events were testament to strong interest in the EU General Data Protection Regulation. Two seminars took place in Dublin on 25 May, marking a year to the day until the regulation comes into force in 2018.
The first speaker at the morning event was Linda NiChualladh, a counsel with An Post and an expert on data protection. Her wide-ranging and entertaining talk covered the legal aspects of GDPR and its implications for business.
She said the burden of compliance should not lie with one department but with an entire organisation. “Data protection has been seen as an IT or legal issue, but never a business issue. It’s actually all of us together,” she said. “This is more than an IT fix or a patch – it’s a complete culture change in your organisation. This affects everybody … it’s the new ‘health and safety’.”
Several times, she emphasised accountability as a key principle in GDPR. “It’s as boring as it sounds, but it’s essential and it’s the thing that will take you through this,” she said. “Accountability is about documenting everything you do: how you show you have kept a log showing how you have treated data. Accountability gives proof that this is being done. If you tell customers on your website ‘we take your data very seriously’, you’re going to have to prove it,” she said.
She noted that many breaches reported to the Data Protection Commissioner involve human error. Getting ready for GDPR will involve investing in training staff in good data protection practices. “You are only as strong as your weakest link.”
A year to prepare is not a long time, and there is no magic wand for GDPR, she added. However, the process for getting compliant is still evolving, and there is more than one right way to do it. “We are not saying it’s easy but we are saying it’s manageable,” she said. For any organisation or business that doesn’t have in-house resources to handle compliance, her message was simple: “Get help.”
The next speaker, Clive Nightingale of Certification Europe, discussed how the ISO 27001 security standard fits with preparation for GDPR. He echoed Linda NiChualladh’s point about the risk of human error.
He also picked up the theme of how organisational mindset affects the success of GDPR compliance. “You need a culture where everyone in the organisation has responsibility, and it’s got to come from the top,” he said. “Who is going to police compliance with GDPR? It’s all about leadership.”
Referring to his experience as an auditor, Nightingale said it’s possible to tell very quickly whether an organisation does things correctly. Taking the right approach to data protection compliance sends a message about an organisation’s credibility. It shows that it takes care to protect information that belongs to the customer, he added.
Nightingale said the risk analysis process for GDPR should start with knowing where data is and what it means. “The point about GDPR is, unless you know how your data is structured, it’s at risk,” he said.
Brian Honan’s presentation focused on how to develop an incident response plan. GDPR requires organisations to notify the data protection authority within 72 hours if they suffer a data breach. They will also need to explain the reason if they miss this deadline, he said.
Companies that suffer a ransomware infection may need to report the incident to the regulator if sensitive or confidential data is affected. “Ransomware has been deemed to be a breach of data protection. Those incidents will be notifiable issues when you have them,” he warned.
Like the previous speakers, Honan spoke about the importance of senior management in leading these efforts. “This is a business issue, not an IT problem,” he said.
He recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from IT operations because they know how data storage systems work. A HR manager should be on the team, because a breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately.
The team should include a company’s legal function because GDPR obliges organisations to notify the regulator. Including a PR or communications expert from the business means the team can deliver accurate messages to external stakeholders, the media, or internal staff as appropriate. Lastly, facilities management staff can help recover breach evidence from CCTV or swipe card systems.
Honan urged organisations to develop and test their incident response processes in advance. “Don’t wait for a breach to test how your policies work. Find out in advance how well your team works when an incident occurs. Carry out tabletop exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.
The trend of blaming victims for suffering incidents has diminished because cybersecurity risks are more widely understood. “You won’t be slated for having a security breach; it’s how you deal with that breach that you’ll be judged on,” Honan said.
Finally, he recommended useful online resources for anyone interested in finding out more about incident response guidelines. SocGen’s CERT website includes several methodologies for handling various breach types. ENISA, the European Union Agency for Network and Information Security, also has free guidance about data protection and GDPR on its site.