Author Gary Hibberd
On April 14th 1912 the RMS Titanic tragically collided with an iceberg on its maiden voyage, ending what many believed to be a golden age of technological breakthroughs and man’s dominance over nature. Many accuse the Captain and others in command of ignoring messages of icefields and icebergs ahead, stating that they had ample warning to slow down and avert the impending disaster.
Over one hundred years later, there is a potential iceberg looming over the horizon which every business should be made aware of. Of course the new ‘General Data Protection Act’ (GDPR) which has today (April 14th 2016) is unlikely to result in the loss of life seen in the Titanic disaster, but it is still a helpful metaphor for business leaders to consider.
There is an ‘iceberg’ ahead… This has been in the develop over many years and now it’s headed in your direction. The question is; Are you going to ignore it or are you going to do something to prepare for what’s coming?
GDPR: Big day for Data Protection
So do you, or should you care? The short answer is – Yes.
Even if you don’t feel you manage personal information, YOUR personal information is held somewhere; Banks, Building societies, hospitals, doctors, dentists, schools, police and commercial businesses are just a few examples of entities that hold your personal information and they will need to comply with this new act.
What about BREXIT?
Think the exit of Europe will affect this? Think again. The Information Commissioners Office (ICO) have already said that so much work has gone into the development of the new regulations that even if we were to exit Europe, there will be certain regulations which will still be enforced – either centrally in Europe or will simply be adopted by the ICO in the UK.
There’s no escaping the GDPR – It’s on the horizon. You can see it coming. But what will the impact look like?
Who’s affected and how?
Those responsible for Data Protection in a company must tread carefully; This includes senior manager, Heads of Risk, IT or Compliance and of course Data Protection Officers. If your business neglects to address data protection correctly, you can PERSONALLY be held accountable
To date, those identified as the ‘Data Protection Officer’ have generally been required to “work towards” compliance with the requirements. However, under the new GDPR, that person must ensure that all rules are actually adhered to.
As for the business, well they may be subject to a EUR 20 million fine (approximately £15million). Or a fine equal to 2% of GLOBAL profit for minor offences, and 4% for serious breaches.
Our lawyer can handle it. Right?
Sorry, no offence to the grand legal minds out there, but no. the EU and the ICO recognises that good data protection takes more than legal expertise. The role requires a person who not only understands the business, the GDPR but also has technical experience and IT knowledge. A general understanding of ‘cyber’ really isn’t enough. What is needed is experience in security frameworks such as ISO27001 (which is already mentioned in the current DPA).
They must also have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company.
Is that it?
You’re kidding right? The GDPR is over 400 pages of detailed rules and regulations governing how data may be gathered, shared, stored and destroyed. Essentially how you process data is changing.
I would suggest you see this blog as your first warning of ‘Iceberg dead ahead’. There will be further blogs and information that we will provide and we intend to run a number of events focusing on getting better at information security. Because it is only by doing this, that you will be able to avoid the disaster which is on the horizon.
You have two years to fully comply. It really isn’t long and if you’re reading this blog you have no excuse that you never received the message.
Take steps today to improve your security. Data Protection = Information Security. This is NOT a compliance issue, it is a business issue and as business leaders there are steps you can and should be taking. Start with;
- Risk Management – Is this in your Risk Register? Discuss at your next Board meeting
- Gap Analysis – Seek help from professionals who understand Security not Compliance
- Identify Resources – Who do you need? What skills are you missing?
- Put in a budget – Sorry, but there will be a cost. Budget for it now or pay later!
- Programme management – This is not only a project but a programme. Put in a plan for the next two years to ensure you meet compliance
If you take these steps you are not likely to collide with the obstacle ahead. And if you do, you’re more likely to come out unscathed.
Speak to a member of the team now on
03455 760 999
We would love to help you, ask for Gary Hibberd