“Data Protection reaches the Board Room”
By Adrian Leppard, QPM
Without a doubt the Information Commissioner Christopher Graham has thrown down the gauntlet to Boards on Data Protection. He has been making the headlines referring to the cyber-attack on TalkTalk last October, as a “car crash” and stating that, “Any other company with half a brain should be checking their systems now to make sure they don’t land up in the same situation.” Fighting talk indeed.
When a Watchdog uses this language in front of MPs, whilst providing evidence to the Culture Media and Sport select committee, you know a line has been crossed. It’s understandable when you accept that it was a preventable attack; to make matters worse, the company recently experienced a further breach in the security of its customer records after three people were arrested in an Indian call-centre used by the telecoms group in connection with making scam calls.
And if that isn’t a ‘wake up and smell the coffee moment’, then the European General Data Protection Regulation (GDPR), which is due to be ratified by the European Council very shortly, should certainly make the lawyers and senior directors start to twitch. This new Regulation (not simply a Directive) places specific obligations on all large companies and introduces an eye-watering maximum penalty for non-compliance set at €20m or 4% of global turnover and the threat of criminal prosecution.
It was the risk of multi-billion dollar regulatory fines for money laundering that put ‘Compliance’ on Board Room tables and we can see that Data Protection may soon be following a similar path. In all fairness not before time. Technology continues to revolutionise the way we do business and in particular, the huge explosion of data with all of it’s rich potential, is impacting how information is being exploited, accessed and stored – but clearly, this thirst for new business is not always followed by sensible precautions for data security or protection.
That is all going to have to change when the new GDPR is phased in over the next two years or so. Amongst other changes, the new provisions require all personal data stored to have a defined life cycle. Businesses will have to document their Data Protection risk and consider this in all new technology and products.
So what should companies “with half a brain” be doing about this? Unsurprisingly everything starts with the Board but too few are wrestling with this challenge in an effective manner. It is frightening to think how the Board at TalkTalk mirror many others. In fact, a recent article by security law expert, Thomas Bennett, highlights that personal liability in the event of breach, for the directors of listed businesses, is a material possibility