This will come as no surprise but people are fed up with their personal information being leaked. The recent Equifax breach in the United States, where up to 143 million people may have had their most sensitive data leaked, is a case in point. It was a big deal. It remains to be seen if anyone in Equifax will face jail time, but it’s already resulted in the CEO, CIO and CISO being forced to leave the company. Contributor Kim Lessley, Director of Solution Management – Cloud Security, SAP SuccessFactors.
Although the Equifax example happened in the US, similar breaches such as the 2017 Uber hack, which affected 57 million customers all over the world, or the breach of confidential data that may have disclosed the identities of undercover agents working for the Swedish security service and police, show that data breaches are very much a global concern. For Europeans, the right to data protection and privacy is a fundamental right.
This right has been further strengthened with the latest general overhaul of the data protection and privacy legislation, the EU General Data Protection Regulation (GDPR), which will apply in May 2018. Potential fines for not following the GDPR are no longer a slap on the wrist, but instead could seriously endanger a company’s livelihood. Along with increased fines, there is also talk of possible jail sentences for senior managers in cases of intentional violations. Realistically, the average employee is not likely to face jail time for not following proper data protection and privacy policies, but data protection and privacy is everyone’s responsibility in a company.
Under GDPR, it will become mandatory for certain companies to designate a Data Protection Officer. This will be the case for all public authorities and bodies that process personal data, and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.
The DPO is responsible to advise and monitor data protection compliance within the organisation. Typical tasks of a DPO include: Informing, advising and issuing recommendations to the company regarding compliance with data protection laws and GDPR. Assisting with the implementation, management and monitoring of data protection strategy and the creation and roll-out of policies, guidelines and data protection awareness training.
Monitoring compliance against the relevant data protection and privacy regulations Identifying and managing risks related to data protection, and escalate data protection risks and issues to executives, as needed. Cooperating with the designated supervisory and other data protection authorities, and consult, where appropriate, on issues relating to data processing; Provide advice where requested as regards the Data Protection Impact Assessments (DPIAs) and monitor their performance accordingly.
To use the Equifax example again, if they were subject to the upcoming GDPR regulation, they could have faced a fine of around $62.9 million (based on its 2016 operating revenue of $3.145 billion) for not reporting the data breach earlier – and senior management may have faced criminal charges. A good DPO would have advised the company to come clean immediately. Unfortunately for them, they did not do that and Equifax is now a household name in the US – for all of the wrong reasons.