Data Protection Authorities are likely to ramp up the number of GDPR audits this year, according to Ventiv Technology's chief information security officer, Scott Wilson. Businesses must "get their house in order" if they want to avoid a hefty fine and reputational damage, he warned.
"Companies shouldn't fear these audits, but they should plan for it," he explained. The Data Protection Authorities (DPAs) will have full investigative powers and are not required to give notice. "The audits we've seen so far have not been window dressing exercises. They don't just sit in a conference room, they get inside the business; they may ask for access to your systems, your data and all your documents."
Mr Wilson noted the example of the Portuguese hospital which was fined €400,000 (currently under appeal) last year after an audit concluded that too many people had access to personal data - even though a data breach hadn't occurred. "If the auditors find you are not following the regulations, even if there's not been a data breach, a company can still be in trouble."
"Companies need a holistic view of their data processing operations"
Mr Wilson's advice for risk managers is to truly understand the risk profile of the business from a data perspective. "Do you know how much personal data is in the system? And what is happening to that data? How is it processed? Companies need a holistic view of their data processing operations."
The biggest challenge, he said, is educating the entire company. "The 72-hour notice period starts from when the first employee notices a data breach - not from when the risk manager or the data protection officer is noted." Companies should therefore ensure they have a robust training plan and a clear communication strategy for the event of a breach, he advises.
At Ventiv, for example, they have a well-defined process for responding to potential data breaches. At the heart of it is a dedicated team which includes employees from across the organisation, including operations, legal, technology and business, as well as external advisors.
It has been over eight months since the GDPR regime came into force, and the sheer volume of data breaches reported has been notable as businesses take a conservative approach to reporting to DPAs. "Until we see what the enforcement environment looks like, there are many grey areas as well as different interpretations between regulatory authorities," Mr Wilson explains. "Companies are sensible taking the low-risk option in my opinion."
In this challenging environment, Mr Wilson recommends that companies proactively establish relationships with their relevant authorities. Opening a dialogue with appropriate DPAs is a chance to discuss the regulator's expectations in the context of your own organisation, he adds.
"DPAs are encouraging this approach but currently we are seeing little evidence that businesses are engaging. They are taking a 'wait and see' approach which is potentially a missed opportunity."
Global regulatory landscape is changing
Looking ahead, Mr Wilson believes risk managers and businesses must keep a finger on the pulse of the global regulatory environment. "There is a global ground swell to establish regulations similar to the GDPR, so it's not just Europe we should be focusing on."
It will be hard for businesses to keep up with the changes, but it is important that they understand all the legal jurisdictions they are operating in from a data perspective, he warns. "It will be an interesting and complex 12 months and businesses need to anticipate and react to stay ahead."
Scott Wilson is Ventiv Technology's chief information security officer
You can watch Scott's webinar on the subject here.