Defusing the GDPR Time Bomb
With just three months before new data protection rules kick in, John Clelland and Chris Greenslade, founding partners of Proteus-Cyber, explain how to stay cool, calm and compliant.It’s a watershed year for risk management specialists – and a worrying one for businesses that are not ready for the General Data Protection Regulation (GDPR). But if they seek expert advice now, and develop a step-by-step strategy to minimise risks, they can stay on the right road to compliance. That’s the message from Proteus-Cyber, a software provider that has developed a product called Proteus GDPReady. Launched in February 2017, it was touted as the first GDPR software toolkit on the market to fully support the GDPR process and help data protection officers prepare their organisations for the new regulatory environment.
John Clelland, CEO of Proteus-Cyber, says that GDPReady is suitable for companies of all sizes and covers every aspect of GDPR, such as subject access requests, legal compliance and consent rules, privacy impact assessments, data modeling, and breach notification.
Creating a strategy
When it comes to data breaches, the IT industry has a poor track record, “With 143 million breaches last year alone,” says Clelland, “and there have been several high-profile and very embarrassing breaches industry-wide.” A prime example was Uber, which concealed a hack that affected 57 million customers and drivers. Under the terms of GDPR, Uber would have faced a fine of $240 million (£170 million), representing four per cent of its global annual revenue. Fines will depend on how quickly a breach is reported and in Uber’s case it was more than a year before the company came clean. That would have been way too late to fess up under the GDPR – Article 33, the breach notification, allows you just 72 hours to report a breach.
“A BUSINESS MAY BE COLLECTING 20 PIECES OF DATA, BUT TO DELIVER THE SERVICE, ONLY NEED 10…. PART OF GDPR IS UNDERSTANDING THE REASON FOR HOLDING AND PROCESSING INFORMATION”
Of course, the best strategy is to avoid a fine in the first place. However, confronted with potentially huge fines, all businesses need to minimise their liabilities as much as possible. “Say you have a £1billion turnover, four per cent of that would hit you with a £40million fine,” says Greenslade. But, while it’s as yet unproven, the likelihood is that regulators will be somewhat lenient if you can demonstrate a clear strategy and systems for compliance. “This is where our Proteus GDPR tool can make all the difference,” says Greenslade. May 25 2018 isn’t an end stop,” he adds. “It’s simply the date when fines start applying. The reality is, people must continue working on GDPR, and let’s not forget that it’s an opportunity as well as a challenge.”
“If you approach GDPR in the wrong way,” says Clelland, “you will constantly be on the back foot and you’re very likely to fall foul of the May 2018 deadline. “The right way is to have a multi-phased plan. But the important thing is not to start from the data – begin with the business and the people who run it.”
Proteus GDPReady starts mapping data by engaging with the business and surveying the business owners and those responsible for data gathering and control. “Often, businesses find they have more data than they need,” notes Clelland. “They may be collecting 20 pieces of data, but actually, to deliver the service, only need 10.”
Although every case is different “Understanding the reason for holding and processing information will change the terms of reference and the consent rules you apply”. You must establish whether your data is necessary, processed legally, and the necessary security measures applied. For example, “Does the business encrypt the data? Is it secured in transit? Is it encrypted at rest? How do they back up the data? All these questions relate to Article 30,” says Clelland. “If you haven’t done this mapping, everything else will be compromised.” CaptionDanger UXB: Companies need a strategy to minimise risk of fines
For more information:
Registered in the UK and Wales 07239733.
VAT registered GB 991 1452 13
20-22 Wenlock Road
P: +44 (0)208 123 7708