Speaking at the Gartner IAM conference in London, Gartner research director Bart Willemsen said that the GPDR is being taken more seriously, but there are key factors driving security.
Highlighting both Gartner predictions that fewer than 50% of those impacted by GDPR will be fully compliant by 25 May 2018, as well as a Dell survey that found 3% had finalized a strategy to be compliant and 37% had just started a strategy, Willemsen related non-compliance to breaking a law.
“This is a regulation, it is a law, and I am not telling you to break a law,” he said. “I drive a motorbike and don’t willfully break the speed limit, that’s breaking law. GDPR is law but I have faith in you.” He asked the audience how many had a data protection offer in place, and around half raised a hand.
“Data needs protection so people can have privacy. From conception to death. Saying goodbye at the end of lifecycle is where we have trouble,” he argued.
Willemsen said that the data lifecycle is crucial, as the “cost of storing data is at an all-time low.”
He added: “The mere fact that you may have data, does not mean you can use it for anything or keep it forever."
“The more you have the more that can go wrong – time is the only critical success factor for a data breach.”
Moving on to fines, Willemsen said that GDPR is not just about staying away from sanctions as €20m is serious money, but individuals are now being empowered to a level that we have not seen before, as GDPR will allow a single individual to bring class actions.
Willemsen also pointed at the Yahoo breaches of 2016, and said that under GDPR it would have cost them $860,000 per occurrence. “Organizations must assume they are going to experience a data breach, it has happened once and will happen again because of the cost of storing data.”
He concluded by encouraging businesses to do a continuous risk assessment, consider accountability within the company and adequately secure internally and externally.
“GDPR and data breaches are about risk to the individual,” he said. “Don’t focus on risk to the organization (only) but rather focus on risk to the individual."
“Do you have control? If you document processes, that may qualify as a data breach and not just a notification. Start crafting your playbook and test over and over as once confronted, how do you respond.”