Discussions of late may have shifted from awareness to readiness, but there’s much about the new law still to be decided. How quickly will regulators levy major fines? What cyber security technologies and processes will be deemed “state of the art” for compliance purposes? Will the regulation help or hinder innovation?
The one thing organisations don’t have is the luxury of choice: if any of your customers are EU citizens, you must comply. So what happens next? Once midnight strikes on May 25, what can we expect to see?
1. No big fines…for now
The GDPR gives regulators the power to hit firms with a maximum fine of 4% of global annual turnover, or €20 million, whichever is higher. But contrary to many headline-grabbing predictions and FUD-led marketing, it’s unlikely that they will look to exercise these powers early on. In fact, UK supervisory authority the Information Commissioner’s Office has said publicly: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm … We have always preferred the carrot to the stick.”
>See also: Businesses are entering the home straight for GDPR compliance
That said, these fines are far from symbolic and as time goes on, and regulators’ patience wears thinner, the chances of major financial penalties will increase. The €20 million question is when exactly this will be.
What is most likely is that the first big fines will come not from a major breach, but possibly a case brought by an individual whose new rights to data portability, erasure, access etc were not upheld by an organisation. The reputational impact of such a case could result in far more damage to brand and customer trust than the headline fine.
For those organisations still willing to risk non-compliance, it should be remembered that the regulators will also have the power to suspend data transfers to third countries — like the US and potentially post-Brexit Britain — and even shut down data processing altogether. That would put any modern organisation out of business pretty quickly.
2. GDPR-related extortion
Cybercriminals are nothing if not resourceful. We’ve seen extortion tactics become increasingly popular, most notably in the huge uptick in ransomware over the past few years — whereby the victim is forced to pay up or else lose access to their files forever. It’s entirely possible that the black hats might attack an organisation and steal customer data or plant malware with the aim of first extorting money from the targeted company.
>See also: What does the legal sector need to know about GDPR?
Although it’s still unclear exactly what fines regulators are prepared to levy for specific types of attack, the hacker could estimate the likely penalty and then demand a ransom less than that amount. Some CEOs might opt to pay-up, Uber-style, in order to keep the incident quiet. If they refuse, the attackers could go to plan B and sell the stolen data online.
3. A supplier-related incident
The GDPR will force a step-change in the way organisations manage their third-party suppliers and partners. In fact, under the new regulation, data processors such as cloud service providers are equally liable for breaches along with the data controller. The supply chains of modern organisations are in reality complex networks of inter-dependencies which many will find difficult to map and secure.
That’s why we are likely to see a major incident stemming from a supplier issue — most likely a supplier in a so-called “third country” outside the EU where local data protection laws are less rigorous. Ensuring your contractors, suppliers and processors have the same policies, procedures and security controls in place is crucial to keeping the GDPR regulators happy.
4. Not telling the whole truth
Despite the threat of fines, reputational damage and major service interruptions, some companies may still be tempted to keep serious breaches of the regulation quiet. In fact, the role of the data protection officer (DPO) as an independent compliance expert within the organisation may isolate them, creating an “us vs them” culture which could fuel this kind of thinking.
>See also: Head in the clouds? Then you had better be ready for GDPR
It goes without saying that this would be a huge miscalculation guaranteed to result eventually in serious repercussions. The GDPR is all about forcing organisations to be more open, transparent and accountable. Concealing the mishandling of customer data shows deliberate disregard for these key tenets.
On a less serious note, we may find organisations not telling the whole truth about a data breach incident simply because they don’t have enough information to hand. This is why continuous network monitoring, advanced breach detection and incident response plans are essential, given the GDPR’s strict 72-hour notification requirement.
Increasing visibility into your data flows and security controls is a must-have. Organisations that end up finding out about a breach via a third-party will immediately be on the back foot, and may find it hard to meet the strict time limits effectively. Remember: a ransomware outage could also be covered under the GDPR if you are not able to “restore the availability and access to personal data in a timely manner”. This makes it essential to maintain a best practice backup policy, according to the 3-2-1 rule.
Under-reporting is a serious infraction of the law, but we may also see many SMEs over-reporting after 25 May. It’s up to regulators to be clear about what constitutes an incident, and for firms to seek guidance on this. The impact otherwise could be wasted resources on both sides.
>See also: Thriving in the post-GDPR landscape
5. A period of adjustment
The most important thing to remember about the GDPR is that it’s not a one-off compliance effort like the rush to fix the Y2K Millennium Bug. On the contrary, it’s a continuous process that will need to be constantly evaluated and evolved over time. That’s good news because this will likely result in a de facto grace period early-on in the GDPR’s lifetime as regulators and organisations feel their way around the new law.
To succeed long term, boards must view the regulation as a business, rather than a security, risk. Strategy must be formulated with stakeholders from across the organisation — including IT, legal, compliance and the data owners themselves. The bottom line is that the GDPR is here to stay, so firms must get on board, embrace the change and learn how to innovate, grow and compete amid a new regulatory landscape.
Sourced by Bharat Mistry, principal security strategist at Trend Micro