3, July 2017
How the GDPR sanctions is the best thing that has happened to cybersecurity
Data and the GDPR
Today, data has become one of the most valuable resources for businesses.
Because of this, incentives to process, cross-reference and publish data are ever increasing.
This obviously affects the privacy of the individual.
The natural step therefore, is regulation – Enter the GDPR! No one can have missed the discussions about the strain this will put on firms in terms of implementation and compliance.
GDPR will put new requirements on firms in terms of overall data processing.
However, there may be a positive aspect to this!
Ultimately, the aim of the GDPR is to create safe management and ownership of data. The hope is that this will lead to a more prosperous and safer internet, for private as well as legal entities.
The two essential roles in the GDPR
There are two functions that are essential when discussing the management of personal data:
- Data controllers
In practice, most firms will be data controllers in some regard, assuming that they process and manage personal data.
- Data processors
Plenty of service firms (e.g. payroll companies, corporate travel agents and marketing agencies) will be Data processors on behalf of other companies. At the same time, they may also be Data controllers for data they manage on behalf of their own business.
How can the GDPR be a driver in the evolution towards a safer internet?
Sanctions is one of the key drivers in the GDPR, and sanctions is what is going to drive the progress. The sanctions have been outlined in article 83 of the GDPR and are applicable to both data controllers and data processors.
Two levels of sanctions will apply. Some breaches can lead to fines of up to €10 million or 2 % global annual turnover whichever is greater while others can trigger fines of up to €20 million or 4% of global annual turnover for the preceding financial year.
Let us repeat that, shall we? Fines of up to €20 million or 4% of global annual turnover!
So, how does this affect the way companies manage data?
Article 5 of the GDPR sets out the basic principles relating to process of personal data. According to the article, data should, among other things, be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures".
Article 25 states that “… the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
It further states “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
Article 32 sets out the requirements for data controllers and processors to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk".
According to the regulation, whether a certain security measure is appropriate in each instance will depend on "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons".
This is all a very complicated way of saying that companies will need to review not just how they keep personal data and what they do with it, but also the technical solutions and policies in place to ensure that they are up to date and not vulnerable to outside attacks or in risk information leaks through their own processing.
Data management will be increasingly regulated.
This means firms are required to set up best practice cybersecurity measures to safeguard its data governance model, including everything from e-mails to digital archives. They will also have to make sure that they do not keep personal information longer than they absolutely have to.
Best practice is determined by the sensitivity of the data under management, as well as the risk for private individuals if the data leaks.
The positive aspect of this is that these sanctions create strong enough incentives for all firms to comply with GDPR. The result is predictability in the regulatory landscape for data management, and markets like predictability.
Increased regulation may also lead to cybersecurity moving up the corporate food chain. In a recent survey by Harvard Business Review, only 8% of board members consider cybersecurity a strategic risk, whereas 38% consider the regulatory environment to be a strategic risk.
Consequently, the GDPR has the possibility of providing a platform where data driven business models can prosper and thrive. As most data is available or accessed on the internet, the GDPR has the potential to increase cybersecurity and make the internet a prosperous and safe place where business thrives.