Protecting data must be board-level priority
The Queen has officially opened the National Cyber Security Centre, a government nerve centre that aims to protect the economy, state institutions and critical infrastructure from the growing threat of cyber attacks.
Private businesses are also vulnerable. With so much of the City’s business conducted through digital networks, the threat from malicious actors is real. And yet, while any government help to protect the business community is welcome, the onus of protecting personal data, and providing greater transparency over how it is used, does not fall on the state’s shoulders.
The EU’s General Data Protection Regulation (GDPR) will be enacted in less than 16 months. Although it will be implemented during the Article 50 negotiations, those who thought, or perhaps hoped, that Brexit would negate the impending overhaul of data regulation will be disappointed.
Survey after survey demonstrates that those who have even heard of GDPR are in the minority, with alarmingly few firms having made plans for the imminent restructure it demands. You only have until May 2018 to assess how your business uses, handles, and processes personally identifiable information, whether belonging to clients, customers or employees.
Data governance is at the heart of GDPR, creating significant operational, technical, and organisational obligations for the private sector. Regular audits, impact assessments and the imposition of compulsory data protection officers for some firms will drag many kicking and screaming into this new era.
For those still unconvinced, the penalty for compliance failure is up to four per cent of global group revenue, or €20m – whichever is higher. If that doesn’t drive the gravity of data governance to an executive level, nothing will.
Beyond GDPR, and to really hammer home quite how serious data governance should be taken, while giving evidence to the Commons committee for the Digital Economy Bill, information commissioner Elizabeth Denham expressed support for making company directors personally liable for breaches of data protection law
GDPR should not be taken as a threat: its virtues have been extolled by many in the data world for years as best practice. Hindsight is a wonderful thing, but had executives taken data governance seriously in the first place, perhaps we would not be here today.