The EU’s General Data Protection Regulation is fast approaching and with it vast changes to the ways that companies handle our information.
Much of the consternation has been focussed on the fines that regulators could impose on firms that flaunt the rules, and rightly so – fines can reach up to four percent of their annual turnover, or €20 million.
But, while these penalties are considerable, DIGIT leaders have warned that the proceedings from class-action lawsuits could bear a much bigger financial burden.
Bill Buchanan, Professor of Computing at Edinburgh Napier University, told DIGIT that the problem’s origins lie in a fundamental disconnect between customer needs and company wants: “Most of our existing security problems are caused by the usage of systems and methods which have very little trust built into them.
“It is strange that the industry has generally failed to secure its web infrastructure and provide proper identity checking on their web sites, but do so now that Google is marking sites which do not have HTTPS as insecure. A drop in web rankings seems to mean more to companies than providing a Web infrastructure which can be trusted by individuals.
“GDPR finally makes it difficult for companies to wriggle-out of their commitments to citizens, and where we see a focus on encryption, incident response, pseudo-identity and citizen access rights.”
Disruption is coming
So, are there the makings of a perfect storm with the introduction of GDPR? In-between stronger tools for the individual to chip away at increasingly accountable organisations, it would certainly appear so.
Professor Buchanan said: “My worry is that many companies are currently in the wrong place to actually properly implement GDPR, and that a radical re-design is required to make their systems ready for incident reporting and in the usage of encryption. The concept of users having access to their own data and in pseudo-anonymisation will often require a complete change in their approach.”
Early warning signs are already here. Supermarket chain Morrisons is facing the dock in the High Court after failing to prevent the data of 100,000 of its employees going online in 2014. Now, 5,518 former and current employees have been corralled by a single solicitor claiming compensation for the ‘upset and distress’ that the incident has caused their clients.
Professor Buchanan underscored the urgency of planning for GDPR with a stark warning: “There are now no excuses to lacking knowledge or awareness, even for C-level executives. Organisations thus need to inform and educate staff in the usage of encryption and in the protection of data.
“Along with this, organisations need to be training staff for events that they hope will never happen. Companies will thus have to train staff in detecting and responding to major events, such as for data loss.
“A poor response to an incident could lead to major fines, along with serious damage to brands, company values and other losses. While direct losses can often be insured against, the damage to the trust relationship with customers and shareholders can cause significant long-term damage.”
GDPR: the new PPI?
Everyone is well-aware of the PPI scandal. The cold-calls might be irritating, but they are easier to understand when it’s appreciated that over £26 billion has now been paid out by the UK’s banks to customers for mis-sold PPI.
In the groundswell, Lloyds Banking Group set aside a total of £3.6 billion to cover costs, while HSBC had provisions of £745 million. Payment protection insurance is now the most complained-about financial product ever.
Martin Sloan, a Data Protection Lawyer at Brodies LLP, told DIGIT that, while ironic, it is entirely possible for no-win no-fee firms to seize the ‘opportunity’ that patchy approaches to info-sec present.
Sloan said: “Whether the increase in data breach incidents and greater awareness of data protection laws leads to PPI-style cold calls following any major data breach remains to be seen. This would be a somewhat ironic outcome, considering a number of PPI claims companies have been fined by the Information Commissioner’s Office for breaching the rules on SMS marketing and cold calls!
“However, for organisations holding information on large numbers of individuals, it’s easy to see how compensation claims for breaches of data protection law, could quickly add up. Such claims could be made not just for a failure to properly protect data from a security breach, but also for unlawful processing or a failure to comply with obligations in relation to transparency and accountability.
“Clean-up costs, compensation claims and reputational damage could dwarf any regulatory fine. For example, while TalkTalk was fined a record £400,000 by the ICO following its data breach, it is estimated that the overall cost to the business in terms of remedial action, clean-up costs, and loss of customers is between £50 million and £60 million.”
What can companies do?
Official guidance in the UK has been slow in coming, but the Information Commissioner’s Office (ICO) has released some manuals on what to expect and how to proactively approach the incoming regulations.
12 Steps to Take Now is one such guide, which provides an introduction to GDPR, jargon-busters, and activities that companies can undertake to improve their awareness and tighten their info-sec.
More guides are expected in the future, but companies are being urged to act now.
Professor Buchanan stressed that GDPR and the fines it may bring should not be viewed as a threat, but a challenge for firms to orientate themselves to a customer-focus first. By centring on the individual, public and private, organisations can ensure that they not only remain compliant with the regulations, but appear more trustworthy to the consumers that sustain them.
Professor Buchanan told DIGIT: “GDPR should not be a barrier to the transformation of our online services, and our drive to make Scotland a digitally-focused country should not stop. With the right approaches, we can start to properly design our systems with the citizen at the core, and to allow each citizen to have ownership and governance of their own data.
“As we move towards an always-on infrastructure for access to our electronic services, we need to make sure we have resilience in the infrastructure, and this, along with protecting data, must become a key factor in the design of our online environments.”