Info commish: One year to go and businesses still not ready for GDPR Companies are unprepared for the General Data Protection Regulation (GDPR) coming into force a year today, and some small businesses "might not even know" a new regime is looming, the UK Information Commissioner Elizabeth Denham has warned. Speaking at an event by WSJ Pro Cybersecurity titled How Executives Can Manage the …
This move by the EU is going to hit a lot of the wrong people. Smaller businesses... Mom and pop shops... They'll all get done! Whereas the multi-billion criminal outfits like Facebook / Google / Uber will play them like a tool. What we need here is the real-life NY prosecutor that TV's Billions is based off. Someone who gets the industry and knows how to whip them....
Fines are pointless and no deterrent to the companies. All that will happen is that the poor customers whose details have already been leaked will then be charged more to make up the fine shortfall. Make the executives criminally and financially liable themselves, with strong prison sentences and personal asset seizure.
I've been saying this for years but it also has to apply to public sector organisations, as right now they get fined - they go to government ask for a loan for that amount (since it's the government who essentially fined them anyway) and they are back to square one.
Public sector are great at reporting themselves compared to private companies but they also have nothing personally to lose, we need to change that for directors and chief execs.
> "Make the executives criminally and financially liable themselves"
The GDPR incorporates provisions for fines & custodial sentences for those responsible for more eggregious breaches, and mandates having CIO-type positions (which I assume will be where the finger will initially point).
And if the breach is down to having to use weak encryption because the Government wants to snoop on everybody all the time?
An interesting point, but the fact is the majority of the data breaches that have happened are not down to encryption failures, they are down to easily preventable exploits like SQL injection, which should have been a solved problem years ago.
The root of the problem is that businesses see personal data as an asset; the more they have, the more they can monetise it.
If there was legislation to make personal data a liability, something that costs you money, then businesses would think differently about it and try to minimise their holdings of personal data.
So if businesses had to pay a levy of one pound per year for every row of personal data in every database they have then they would work to minimise that cost; they'd clean out personal data relating to old accounts as fast as possible, they'd think hard about the actual value of personal data to them. At the moment they keep as much as possible because "it's an asset".
The levy could be used to finance the enforcement of data protection and for compensating victims of data theft.
From GDPR:
"If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
• processing personal data that could result in a risk to the rights and freedoms of individual; or
• processing of special categories of data or criminal convictions and offences."
So if you are a (smaller) SMB, then you are possibly unaffected, and if you are- they you really should be following most of what's in the GDPR anyway, I'd suggest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
