“Worryingly, in some cases organisations are happy to accept the smaller cost of a fine, rather than spend the time and money on actually improving the deep-set problems with their data protection and security policies. Partly it’s because, until now, they haven’t had to. The penalties for data loss have been so minimal that it hasn’t been a worthwhile investment to update existing policies.
“Of all the proposed changes in the draft regulations, the one that is getting the most attention is the increased fines, which will rise to €100million or five per cent of global turnover. These figures are going to be difficult for board members to ignore.”
Groucutt argues that the impending changes make a big difference to the consequences of a breach, and Chief Security Officers (CSOs) can use that shift to secure funding for improvement: “CSOs have always had to balance risks with the cost of protection. This gives them the power to really enact changes in their organisations. We only need to look at the most recent fines from the ICO to see what happens without investment in up-to-date IT practices. Organisations have been fined for losing backup hard drives, revealing customer details to hackers, losing unencrypted laptops and allowing the recovery of data from old computers that had not been securely wiped.
“All of these issues could have been avoided by using secure backup systems, keeping PEN testing up to date, encrypting laptops and removable devices and using secure data destruction. Where IT may have struggled to secure funding in the past, the risk of a €100million fine just might change things.
“It can be very easy to think of data protection as niche issue for the compliance department or your legal and IT teams. The sheer size of the proposed fines makes this an operational issue and a priority for the board of directors.