It’s all about RISK and Reward

What a reward

I’m working with a lot of businesses who are attempting to implement General Data Protection Regulation (GDPR).  Some get it and some don’t.  To be honest that is not a surprise, there is a lot of misinformation out there about GDPR.  Probably the most misleading are the ‘come buy our software, it will make you GDPR compliant’ or ‘complete our templates and you will be GDPR compliant’.  Neither approach will make you fully compliant.  Anyway, what is compliance?

The way a business needs to manage privacy under GDPR, changes from the often misjudged approaches adopted under the current Data Protection Act (DPA).  It can make compliance less black and white, but also make it more manageable for businesses to adopt. Some of the key changes that are not being widely explained are:

  1. The requirement for businesses to prove they don’t process Personal Data. Rather than opting in, as businesses do today, they will need to prove they can opt out.
  2. The requirement of the Data Subject to prove that a business is not processing data in accordance with the DPA.  Under GDPR, businesses will need to prove that they process data correctly.
  3. It is a risk based approach.  Businesses need to understand the risks their data subjects are exposed to while their data is in their custody.

For points one and two, most businesses that comply with the DPA will have a small amount of work to do.  However point three will require some effort and some thinking.

For small businesses, management of risk can be a mysterious process.  Difficult to understand because there are no right and wrong answers, but it really isn’t too difficult.

First you have to understand the data that is held by your organisation.  I don’t think I have encountered a single one yet that has not been surprised at the amount of data they hold.  Usually the first exercise is to question the amount of data, storage locations and retention.  Reducing the amount of data to the minimum needed to run the business is a risk reduction exercise in itself.

Once you understand the data, examine the risks that your business is exposed to and assess what the impact would be to the data subject if that risk was to materialise.  I assess this impact by using the model developed by NIST .  I have adapted this slightly for GDPR see below:

This matrix is adapted from NIST

I then prioritise the high impact risks and work on them.  First identifying what level of risk would be acceptable and then working out what actions are needed to reduce the risk to that level.  These actions are then assigned to individuals to ensure they are put into operation.

Risk is largely subjective.  There are approaches which attempt to quantify it, but for most businesses attempting to implement GDPR, this type of qualitative approach will work.  Because it is subjective, it needs to be reviewed regularly as knowledge matures and risks become clearer, as do the mitigations.  So businesses should start to have this as a regular agenda item for board or management meetings.

There lots of negatives communicated about GDPR, but it doesn’t have to be.  Taking a little time to sit back and understand how your business is functioning and then understanding risk and putting measures in place can return many benefits. Here are just a few I have seen recently:

  • Reduction in the amount of data held. This reduced risk, but it also significantly reduced storage costs
  • Streamlining of processes which have increased speed of production
  • Greater understanding of how the business functions and identification of organisational ‘pinch points’

As I have said in previous blogs, look at GDPR as a tick box exercise and you will not only fail to comply, you could miss some brilliant opportunities.

It’s all about RISK and Reward

GDPR and the people


When undertaking the Data Protection Impact Assessment (DPIA) –  a mandatory element of the GDPR,  how many businesses will consider the risk staff bring with them?

Remember that the DPIA is a process all businesses need to go through to assess the risk they expose data subjects to in holding their data.  If you are conducting a risk assessment, then you need to cover all aspects and one of those has to be the people aspect.

I recently spent an interesting afternoon looking at the actions taken by the ICO.  I was surprised to see some trends.  When I looked at the civil monetary penalties that have been imposed since 2010, most were for breaches under the Privacy of Electronic Communication Regulation (PECR). This covers spam emails, texts etc. However the next highest at 37%, seemed to be for things that one would class as human error or lack of knowledge.  These things included:

  • Disclosure of personal data via email to the wrong recipients. There were many of these.
  • Personal data that was hand delivered to the wrong individual.
  • Insecure disposal of personal data, both paper and electronic.
  • Making personal data available via websites.
  • Loss of paper or electronic files containing personal data.

Some of the stories actually made me laugh.  How could such mistakes happen? Obviously they do.

When I examined some of the case histories in more detail, it was obvious that many mistakes had happened due to either lack of process or poor training of staff.

Would any organisation consider letting an employee loose on a Forklift truck without adequate training?  Would they consider letting an employee use dangerous substances without adequate training?  Or heavy machinery?  My guess is no.  The reason I would suggest that many companies would comply is because they understand the risk of the above activities.  But there are also risks with data mismanagement.  OK, they may not have the immediate impact of a Forklift driven by a maniac, but the consequences of data loss can be catastrophic for data subjects.  If you want to see an example, listen to Bennett Arron.  Bennett is a writer and stand-up comedian who had his identity stolen.  He lost everything and it took him years to recover.  Loss of data is not victim-less.

So when considering your risks regarding data, please add in the ‘human cock up’ factor and think about what can be done to reduce the risk.  Certainly training will be a key factor, as will processes that are clear and simple.  Data protection does not have to be complicated – just effective.

Oh and for those interested, the percentage of fines handed out for data loss from cyber attacks; that was 6.5% of the total.

GDPR and the people

200 and counting

200 AttributedIt is a big week for all things GDPR (General Data Protection Regulation).

Firstly Thursday sees us hit the 200 day milestone to GDPR Day (25th May 2018).  This is the day when all businesses will be required to comply with new regulation.

Monday saw the announcement that the new Data Protection Bill will be put before Parliament after the summer recess.  The will once and for all settle what will happen post Brexit.  The Bill will to all intents and purposes transfer the GDPR into UK law as a part of the Brexit preparations.

So GDPR is going to happen.  It is time to extract heads out of the sand and get on with preparations.  200 days is not long.  This isn’t something that will only affect large corporations and the public sector all businesses need to prepare.

Let’s put the record straight on the reasons for GDPR.  It is not to persecute businesses and make it harder to do business it is about making sure the massive amounts of data that are exchanged are exchanged in a way that protects the individual.  And that individual could be you or me.  Also nowhere in the GDPR have seen it say that something cannot be done.  Things just have to be done in a way that protects you and me.

Let’s look at some of the reasons this regulation has be brought in.

  1. The current Data Protection act has not kept up with technology and the power of the internet. In 1995 when the current act was written there were 16m, 0.4% of the population.  In March 2017, it was estimated that there were over 3.7bn people in the world using the internet, that is over 49% of the population.  3.7bn people create a lot of data. actually they create over 2 Exabytes of data a day.   If that was stored on Compact Disks it would take more than 1.5 trillion.  That surely has to be managed well.
  2. What we do on the internet has changed.  in 1998 there was no such thing as social media for example.  Also social media had changed.  What started of a great communications device has morphed into a massive data generation tool used for all manner of analysis.  We have become a commodity of the internet.
  3. There has been a lot of talk about the extended powers that will be given to the Information Commissioners Office (ICO).  Yes the fines have been increased, largely this is to encourage businesses to do the right thing and not take the risk of being fined.  Currently the maximum fine that can be imposed is £500,000. To a business turning over hundreds of millions of pounds a year, it may be worth the risk of a fine rather than spending the money on process and technology.  Change that to between 2% and 4% of turnover or between €10m and €20m and the risk assessment may be a little different.
  4. Businesses will no longer need to register with the ICO, so that puts all business within scope.  That has to be a good thing.  No longer is it just large companies that can process massive amounts of personal data, it is as easy for a small or even micro business to have huge amounts of data.
  5. The rights of the Data Subject will be increased.  The most publicised is that of the right to be forgotten.  But that is not the only big change.  Consent will require all organisations that collect Personal Data using consent to review and possibly change there processes.  This could require website modifications and reprinting of paper forms.  If you haven’t got this planned in yet it could be costly.  I’m fairly certain that Web Developers will be in short supply in the early part of next year.
  6. Finally GDPR aims to simplify the understanding of Data Protection across Europe.  There will be one regulation covering all 28 countries, rather than the current 28 different regulation.

If you want to get some idea of what you need to do to prepare, read some of my earlier blogs.  I also offer one day course on implemented GDPR with the National Cyber Skills Centre.   If you haven’t started yet your first job has to be to understand your data.

Image by Tnarlk Innael used under Creative Commons Licence
200 and counting


I must confess.  Until last summer I didn’t know much about GDPR.  I had heard a new data protect regulation was on the way, but that was the sum of my knowledge.  I felt that was a little shameful, as a person who specialises in assisting businesses understand information risk management.  After all data protection is about managing your risks around the data you hold.

I went off and searched for information and found an abundance, probably too much and too complex and much of it aimed to scare, talking about fines of 4% of global turnover.  But I recall that I had to go and find information.  Nothing at that point had been ‘pushed’ to me.  Not that I can recall anyway.

Now I have an interest in understanding the regulation, but what about the general business population, how much do they understand?  I have been doing a few seminars on GDPR recently; whenever I ask the audience how many know about it, there is normally less than 10% who admit to knowing anything.  Then they appear almost embarrassed to be in a minority.  This prompted me conduct a short survey amongst local businesses to understand the level of understanding and preparedness.  I can’t admit to it being scientific, but the findings are quite concerning.

The questionnaire was sent to local businesses, randomly selected from the Chamber of Commerce membership database and my own contacts.  It included a combination of small, medium, large and public sector organisations.  There was a 24% response rate, with 81% saying that they currently hold data that can identify individuals.  The responses were completely anonymous.

The first question asked how aware businesses were aware of GDPR?  32.5% declared no awareness at all, but 46.5% said they were aware of GDPR but did not understand how it would affect the business.  That is 79% of businesses who, as yet, have done nothing to prepare or don’t even know about it.  We are now only a year off the deadline for compliance!

Some businesses have started to examine the implications, but 34% of the respondents said they didn’t know when they would start.  This coupled with the fact that 37% of the organisations have not yet defined or allocated any resource to the implementation.  Even more concerning when 42% indicated that they thought implementation would take between 6 months to 1 year or even longer.

Why aren’t businesses prepared?  Why is knowledge of GDPR so low?  Well I take you back to my first paragraph.  I think businesses still have to go in search of the information.  When you find it, for most business leaders, it can be scary.  Some generating the FUD (Fear Uncertainty and Doubt) that we had with cyber a few years ago.

There has been little information pushed from the powers that be.  When I compare GDPR to Auto Enrolment, I think every business leader in the country got personal correspondence from the DWP clearly telling them what they needed to do, however there has been nothing similar on GDPR.

The ICO has some excellent publications: ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’, being just one.  Isn’t it time to the Government started pushing this information out to businesses and not expect them to stumble upon it?  This is a big change for many businesses and they need support.