Like puppies for Christmas, GDPR was about more than one day
"A Dog Is for Life, Not Just for Christmas" has become a somewhat iconic message but as I write this on a blisteringly hot summer day there is no similar advice. Is now then a good time to buy a puppy on a whim?
Of course, it's not, the message behind the slogan is valid all year round. It's just, you never hear the message at any other time.
Similarly, there was a flurry of activity and media attention around the EU's General Data Protection Regulation (GDPR) last year and rightly so. The consequences of being at the centre of a data breach, with a potential fine of 4% of turnover, meant most firms heard the message and acted to get their house in order.
Then GDPR Day came and passed and everyone stopped talking about it.
Until British Airways was told it faced a fine of £183m for a data breach in which customers’ credit card data was stolen.
GDPR got real then, didn't it?
Like those Christmas dogs, GDPR is for life and not just for that long-forgotten deadline day. A few friends have told me that they think that their firms have taken their eyes off the ball since last May and that IS a worry. The problem is - you might not know if you have let things slide until you get stung.
The bad guys are not operating at the level they were at when you addressed your GDPR responsibilities last spring. They are getting more and more sophisticated and so your systems and approach have to evolve to match them. To be clear, BA got hit by scammers at the top of their game, I mean, just imagine how much BA will have spent on data protection and how sure of their security controls they must have been. "Fort Knox," was how one security expert colleague had imagined them to be and I guess few would have disagreed.
I think that most people doubted that the Information Commissioner’s Office (ICO) would levy the maximum fine available to them. 4% of BA's annual turnover, rough calculation - that would have been a fine of about £500 million. That's a pretty unthinkable amount, especially given the fact that the highest fine before GDPR was half a million.
Indeed many thought that the level of security British Airways had and the speed with which they reported the breach would have meant a more lenient approach. GDPR stipulates that you have 72 hours to report a breach, three days, it took British Airways just one day to announce it had been compromised.
Ian Thornton-Trump, a cybersecurity expert was quoted by Forbes predicting a fine "in the £5 to 10 million range". Many observers thought even this may be on the heavy side, so when that £183m figure was announced the whole internet security and business community gave a collective gasp.
It's not just the fine, of course, a data breach brings claims for compensation from customers who might have suffered financial fraud as a result, and then there is the incalculable damage to reputation that a firm may suffer following a cyber-attack. Furthermore, in this case, BA was also threatened with a £500 million class-action lawsuit.
The high-profile cases, like BA, grab the headlines but it is another BA altogether that concerned CIOs that we’ve been talking to. Business Analysts became so sought after during the initial GDPR compliance preparations that firms were struggling to find them. Our sister company, Access Talent, the IT Project recruitment specialist, reported a surge in enquiries for this role post-GDPR too. As more businesses are needing BAs with regulatory experience to help create guiding principles on how their information is governed, hirers are increasingly toiling in vain to find business-facing talent to fill these roles. As a result, the Project Management as a Service market is doing a roaring trade in Business Analysts – this market should be your first port of call if you too are having difficulty finding BA talent to add to your staff headcount.
Another consequence of diverting attention and resources into projects initiated just to make firms GDPR compliant is that, often, something somewhere else in the portfolio has to suffer. Few project operations factored this in, few organisations had budgeted for extra resources, so it fell to the in-house IT team to do what in-house IT teams always do – they had to deal with it. This meant a lot of burning of candles at both ends which would have been OK for the short-term fixes that were being worked upon last May and June. Over a year later though, many firms still have longer term GDPR projects that are sapping resources needed elsewhere and strategic business change projects are falling behind or not delivering their full potential. The PMaaS market is geared up to help with this – you should ask your Project Management Services partner to take a look at your portfolio and recommend resources.
GDPR is having and will continue to have an impact on the efficiency of project teams. Based on the number of cases reported, attacks are trending upwards. By just August last year, the ICO revealed that data breach complaints were up 160% in the three months or so since GDPR had come into force.
Now, a year on from those figures, the ICO just published its Annual Report and it is clear that this was only the beginning. In this first Annual Report since GDPR took effect, the ICO reports complaints from the public almost doubled.
The ICO also reported a considerable increase in reports of data breaches that it received from companies, including 13,840 personal data breach reports under GDPR. This is more than four times the number received in 2017-18 and cybersecurity was cited as being at the root of many of these.
There is good news in the ICO’s Annual Report though, in more than one in eight (82%) of breaches, the reporting organisation had sufficient measures in place, or was taking appropriate steps to address the breach, that the ICO was not minded to take any further action. Furthermore, in fewer than 1% of cases, the ICO began proceedings beyond issuing recommendations or advising further action, and just 0.05% of cases resulted in financial penalty.
While it seems that UK businesses are over-reporting data breaches, the ICO states that this is a sign that organisations "are taking the requirements of the GDPR and DPA 2018 (Data Protection Act 2018) seriously" and, they say, "it is encouraging that these breaches are being proactively reported to us."
Less encouraging, but at the same time inevitable, is the increase in cyber attacks and the increasingly sophisticated tactics being used by the criminals but with just 0.05% of cases resulting in financial penalty, it’s not worth losing sleep over, right?
My old maths teacher had an interesting take on our perception of percentages, she would have said "0.05% is only a small number if you're part of the 99.05%. If you're part of the 0.05% it's ENORMOUS"
This is the take away from all of this! Take a regular walk with your German Shepherd guard dog around your perimeter fence to make sure that there no holes in your IT Projects and systems that these guys can exploit, and make sure that the measures that you have taken are not sapping energy from key business change initiatives.
Many of my friends are sharing a view that their firm walked the guard dog around the fence last May, but it has stayed in its kennel ever since.
Remember, that dog is for life! So is GDPR!