Speaking in the opening keynote session of The European Information Security Summit in central London, journalist and author Edward Lucas said that businesses should realize that the GDPR will be a serious issue, particularly with the EU’s competition commission setting a precedent.
In his session, “Unsafe Harbor – how will today’s regulations affect tomorrow’s operations?”, Lucas said that the GDPR will “do the same in the field of data as in energy and others that the competition commission have looked at,” and he said that this was “brilliant.”
He claimed that there are plenty of views within the EU on enforcing GDPR, as it affects anyone dealing with computers, data, hardware and software. “Before now, we have not done a good job [with security]. We have prioritized convenience and cost ahead of security and it has not been a priority as there has not been money in it, and that is why there will be the first tsunami of big tough regulatory moves, and the fundamental point is data privacy is a fundamental right.”
Lucas did acknowledge that there will be fines, as there is a “fundamental right to data privacy” among EU citizens, and things are going to go wrong, but companies will be asked to demonstrate that they did take reasonable precautions. In particular, he pointed the finger at TalkTalk saying that the ISP “got away easy” as they would be looking at a maximum 4% fine if their breach had happened under GDPR, with data protection regulators looking to make an example of someone.
He also made the point that if someone is attacked by “state of the art malware” they will be unlikely to be fined, but if they do not meet the criteria “you will be in serious trouble.”
“GDPR applies if you have at least 5000 data subjects in the EU,” he said. “Not just customers, it could be employees, shareholders and identifiable personal records in the EU. Brexit or no Brexit - if people come to the website wanting a daily or weekly or monthly update, you will be covered by this, so it is a very broad scope. We need to get used to this and be fluent in this.”
He concluded by saying that it comes down to “assess, prevent and detect,” and the need to appoint a data protection officer “who has the clout to do things.” He also pointed out there could be a conflict of laws with other countries, as where in one country an act is illegal, in another it is mandatory.
“EU law says you should delete it [data], and under USA law you would be in big trouble for deleting. This could be lucrative and go to the European Court of Justice, and we will see cases on that.”