Quentyn Taylor: “You can never be GDPR compliant, it's a journey not a destination.”
Quentyn Taylor: “You can never be GDPR compliant, it's a journey not a destination.”

At the IT Security Analyst and CISO Forum Debates hosted by Eskenzi a range of distinguished panellists grappled with a range of issues facing the industry, from GDPR to data breaches, reputation, hiring and the IOT.

In our first report from the event, we look at ‘Betting the house on GDPR'.

All other considerations are dwarfed by the threat of fines of up to four percent of global turnover which has succeeded in catching the attention of the board, and delegates in the GDPR panel agreed that it's the spectre of these fines which is the best way to get money from the board to implement the changes needed – along with explaining how much effort would be needed to be put in to avoid top end fines.

With the new punitive figures, the internal costs to avoid fines in the first place would likely be less than the legal fees required to avoid a company-killing fine (if an organisation were trying to minimise its penalty for non-compliance).

While the fines are a driver of compliance, Victoria Hordern, counsel at Hogan Lovells International LLP, noted that in the US people have lost their jobs following a breach and that could come here soon, plus, if you want to be a market leader, then being ahead of the game is a way to relieve purse strings.

Steve Williamson, director of risk and ITCP management at GlaxoSmithKline, added that companies can't write simply GDPR fines off as an operational expense – because they are too great. For a global player it could be a €2.2 billion liability. He used the analogy of a charity which knew it would cost their property if they had to pay such a fine, thus it described the GDPR risk on its risk register as “betting the house”. He added that a good way to handle the issue is to upskill existing staff, and recognise that certain data sets are a higher risk (of personally identifiable information) and companies should prioritise that first.

While discussing how to define being compliant, Quentyn Taylor, director of information security, governance and risk at Canon Europe, declared, “You can never be GDPR compliant, it's a journey not a destination.” Hordern added that the key is you need to demonstrate you've put appropriate measures in place, noting that these issues are “beyond your control”.

Williamson pointed out the paradox that “if you have no systems in place, you might not be detecting that you have any breaches, so not be compliant. Or you could have lots of systems in place, detect breaches as a result, but be compliant.”

For Williamson, securing the IT tech bit was described as relatively easy. What was difficult was changing processes, so if subjects were to ask for all of their data – and the data is not on one system and may include ex employees in multiple systems – then you'd need a process to discover that data, and rely on tools to extract data but it would need processes for different departments to work together.

Taylor suggested that there was even a risk of GDPR ‘carpetbaggers' making vexatious demands – though moderator Jonathan Armstrong, partner at Cordery did point out that the rules call for proportionality, thus for reasonable requests from individuals.

It's expected that there will be a lot of people appearing on the scene to give GDPR advice, but many will not be qualified. The qualified solicitors in the room pointed out that they are insured. Companies may think they are also insured, but there is a need to dramatically extend liability to go from say a hundred thousand pounds to many millions, and thus you'd need to increase your premiums in your legal contract. In addition, legal rates for good GDPR lawyers are rising fast, with no benchmarking.

It was claimed that few clients are asking their vendors ‘what's your compliance status'? and many processors are not clear they will be fined, and they won't be until first is fined.

Armstrong asked, who in the organisation takes responsibility for ensuring you are ready? The consensus seemed to be that it would be a legal function, but would vary according to the nature of the business.

Carolyn Lees, global IT director at Permira Advisers LLP, noted how it is inevitably affected by organisation structure, her own comprising 260 employees in small offices around the globe, where a chief risk officer had oversight of risk, working with each team, but no CISO, though there are plans to appoint a data protection officer.

Taylor said that this organisation has had a programme in place for some time, built out not just from legal, but also from risk. He says it went quickly from potential to actual, and that the multi-discipline approach required was a step change, including IT, the service programme team, a core team, and hundreds below that in global business units with privacy officers, data privacy managers and specialists embedded in verticals.

Hordern noted how increasingly legal is in a prime position driving GDPR compliance across organisations, adding, it also depends if the compliance and risk function want to be at table too. But it is legal that drives the next level down. Some are building on what is already there, others are creating entirely new structures to cope.

As to who runs the team, Williamson said that it was compliance that provided the principal risk person, who would have a regulatory background and legal people already involved in data privacy.

For Taylor it was also the head of legal who was the chief sponsor, but legal, IT and project management task were all involved, with “a bit of all three”.

Lees agreed that it is an evolving structure – though regulated at the base level of data protection and privacy, CRO is now the primary driver.