We recently caught up with ITGP author Michael Krausz to discuss the EU General Data Protection Regulation (GDPR) and how we can all protect ourselves from data breaches.
Suddenly the GDPR is upon us. Do you think there are many businesses still waiting to start their GDPR compliance journey?
The phrase ‘suddenly upon us’ is quite amusing because of course it was not suddenly. It was clearly communicated by the EU in 2016. And companies that knew when their homework was due had already started and are basically done; in banks and insurance companies for example, they have done a really good job of implementing GDPR. Small to medium companies seemed to not respond, or pay attention in the same way. This has seen frantic starts from December and they are trying to complete it now.
We are seeing this trend too. Why do you think organisations came to it so late?
Well, first of all the EU data protection law was always ignored because the fines were too low. There is a big difference between the EU and the UK, because the Information Commissioner has always enforced privacy regulations, whereas in large parts of the EU, depending on the country, the fines were so low that nobody had any incentive to take it seriously.
It is very important to state that the GDPR affects everyone, from the person working for themselves to a large corporation. There are many more small companies than large companies and in the past, for these small companies, data protection was simply not a business priority and they are only slowly realising that there is a new regulation. So, with fines now being put into place that would have a significant impact, there is now an incentive to get this done and they are starting to take it seriously. Because it’s so new to them they lack orientation, they lack toolkits and they also feel overwhelmed because GDPR, if you take it seriously, has at least 17 things you have to do, and it could be a lot more. You could get up to 35-40 issues you have to tackle and for the smaller companies it is simply too much – they will need a good gap analysis first before they can start implementing measures.
Which aspects of the GDPR do you think will catch businesses out?
Privacy by design and privacy by default, because to do them properly would require a re-engineering of your software. If you don’t do this right you are in big trouble. Though it might seem tempting to leave these to the last, the ICO advises it is better to keep this in mind at the start of your GDPR project.
In medium-sized and smaller companies, it’s sometimes not clear who the data processor and data controller are, and sometimes there may be two or three people in these roles for different clients. This leads to extremely complex situations.
What advice would you give someone for protecting their data in light of the Cambridge Analytica scandal?
For a private person, firstly, restrict your friendship circle on social media. In real life you are not friends with everybody, you are only friends with people who have made an impact on your life and these should be your friends on Facebook, nobody else. Also, be careful how much you reveal in posts.
GDPR offers new means to actually enforce your rights. If I were an affected citizen I would file a criminal complaint against Facebook and a GDPR complaint. Now the thing is, in this instance Facebook was out of reach of the GDPR as it hadn’t been implemented yet. If the GDPR had been valid when this happened then Facebook and Cambridge Analytica would have been candidates for a fine.
For a company, you should look for service providers who are ISO 27001 certified because this implies that they take data protection seriously.
Are you considering a third edition of Managing Information Security Breaches – Studies from real life? Since 2015, there has been an increase in serious security breaches, such as WannaCry. Why do you think this is?
Absolutely! I myself was surprised how much cyber crime had changed. If you compare it to regular crime, like street crime, they don’t change that much in the way they are perpetrated, whereas cyber crime changes a lot. So, this is what the third edition of the book would cover as well, with at least two or three different types of how to do risk analysis.
Michael Krausz is an IT expert and experienced professional investigator. He has investigated more than a hundred cases of information security breaches. Find out more and browse his books on information security breaches.