The main difference in the change from Data Protection Act to the GDPR regime is that you cannot write the fines off as an operational expense.
Speaking on a panel at the IT Security Analyst and CISO Forum, moderator Jonathan Armstrong, partner at Cordery, said that some research was "just plain wrong" and providing difficulty for those in the CISO profession to know where to start and where to get good information from.
As well as making the claim about not writing off the fine as an ‘operational expense’ Quentyn Taylor, director of information security, governance and risk at Canon Europe, said that in the case of GDPR, there is the potential of a short term sell as the threat of a fine is a way to sell it.
“Don’t just focus on the fine, but how to avoid a massive fine as you could add a zero to internal costs on what you have to spend on a regulatory fine”, he said.
Carolyn Lees, global IT director of Permira Advisers, added that senior management will need to see that it gets done, while Victoria Hordern, counsel at Hogan Lovells International, asked if with GDPR we will see a replication of what the FTC has done in the USA and with that type of enforcement coming to Europe, will jobs be on the line?
Steve Williamson, director of risk & ITCP Management at GlaxoSmithKline, explained that compliance is being resourced, and to be resourced will be "money well spent", but something else it is doing is upscaling controls and compliance, which is part of building and integrating privacy into operations.
Speaking about getting the basics right, the panelists acknowledged the challenges in getting a basic checklist, privacy policies and consent forms together, and knowing what it looks like is far from simple.
Taylor encouraged delegates to focus on risky areas for their companies, and where GDPR is going. “Work on changing culture as it can take a long time, and if you think you are already there but a lot are not and changing it will take a long time.”
Armstrong also noted a shortage of good lawyers in this space, as legal talent has not migrated to data protection law and a shortage of good people will continue by the end of the year.
Taylor said: “It used to black or white. Compliant or not compliant: but if you are not sure on where to prioritize, I cannot advise you on it.”