“Data Protection reaches the Board Room”

By Adrian Leppard, QPM


Without a doubt the Information Commissioner Christopher Graham has thrown down the gauntlet to Boards on Data Protection. He has been making the headlines referring to the cyber-attack on TalkTalk last October, as a “car crash” and stating that, “Any other company with half a brain should be checking their systems now to make sure they don’t land up in the same situation.” Fighting talk indeed.

When a Watchdog uses this language in front of MPs, whilst providing evidence to the Culture Media and Sport select committee, you know a line has been crossed. It’s understandable when you accept that it was a preventable attack; to make matters worse, the company recently experienced a further breach in the security of its customer records after three people were arrested in an Indian call-centre used by the telecoms group in connection with making scam calls.

And if that isn’t a ‘wake up and smell the coffee moment’, then the European General Data Protection Regulation (GDPR), which is due to be ratified by the European Council very shortly, should certainly make the lawyers and senior directors start to twitch. This new Regulation (not simply a Directive) places specific obligations on all large companies and introduces an eye-watering maximum penalty for non-compliance set at €20m or 4% of global turnover and the threat of criminal prosecution.

It was the risk of multi-billion dollar regulatory fines for money laundering that put ‘Compliance’ on Board Room tables and we can see that Data Protection may soon be following a similar path.   In all fairness not before time. Technology continues to revolutionise the way we do business and in particular, the huge explosion of data with all of it’s rich potential, is impacting how information is being exploited, accessed and stored – but clearly, this thirst for new business is not always followed by sensible precautions for data security or protection.

That is all going to have to change when the new GDPR is phased in over the next two years or so. Amongst other changes, the new provisions require all personal data stored to have a defined life cycle. Businesses will have to document their Data Protection risk and consider this in all new technology and products.

So what should companies “with half a brain” be doing about this? Unsurprisingly everything starts with the Board but too few are wrestling with this challenge in an effective manner. It is frightening to think how the Board at TalkTalk mirror many others. In fact, a recent article by security law expert, Thomas Bennett, highlights that personal liability in the event of breach, for the directors of listed businesses, is a material possibility

[1]. Board Members look to their senior staff to provide reassurance that the threat is being managed. Unfortunately, all too often, those staff are getting it wrong and that is often due to an over reliance on technology as the solution.

In some ways the term ‘Cyber’ hasn’t helped and it naturally leads some into the IT domain and   detailed conversations about patches, firewalls and networks. Of course the technical protection must be in place but the new Data Protection requirements will place obligations on organisations to think more broadly about their information assets, particularly when you consider that half of all major data breaches involve people and processes, not technology.

Effective solutions require cultural change and that means re-training staff and re-configuring policies and procedures. Some organisations won’t need to do much but others will need to invest substantially. The place to start is with an independent information security audit. It’s second nature to have auditors look at our books so Boards can get the reassurance they need that they have discharged their fiduciary responsibilities. Well the same applies with Data Security, but it does need to be independent and Boards should resist an over-reliance on their own people telling them everything is fine.

Leadership and creating an accountability framework is next, to ensure that those who control the business operationally also own the data risk. All of this is achievable and the enlightened Boards will be introducing ‘Information Assurance’ as a standing agenda item, with effective performance information balancing cost against risk.

With two years before the new EU Data Protection requirements are implemented there is plenty of time to get your house in order; ambitious companies will grab this risk and turn it into an opportunity, a competitive advantage even. Effective information security has the potential to bring significant growth in itself as savvy clients place increasingly tighter security requirements onto their contractors, and some big businesses with ‘big brains’ are already reaping the rewards in the market place.



Adrian Leppard is the former Commissioner of the City of London Police and is now a Director of Templar Executives, a leading London-based Cyber Security company.

Templar Executives is an award-winning Cyber Security company trusted by Governments and multi-national organisations. Operating at the highest levels across the public and private sectors Templar Executives has a world class track record in helping clients develop a resilient and business enabling Cyber Security capability.

For more information contact us now: call +44 (0) 844 443 6243, or email: enquiries@templarexecs.com, or visit www.templarexecs.com



[1] ‘Cyber Security and the Liability Threat for Business Directors’ – Journal of Cyber Security Law and Practice; December 2015; http://www.e-comlaw.com/cyber-security-law-and-practice/