January 28th is International Data Privacy Day and serves as a reminder of the growing importance of data in our organisations and how we must protect it.
Information security management is no longer driven by the fear of security breaches alone. There is now a growing urgency to meet stringent data privacy requirements of legislation, such as the new General Data Protection Regulation (GDPR). Failure to do so could soon result in hefty fines for non-compliance.
GDPR replaces the current Data Protection Act (1998) on 25th May 2018 and adds to the organisational risks already associated with information security:
Cost of non-compliance
Set to escalate from a maximum £500k to between 2-4% (or £10-£20m, whichever is the greater) of previous years Global annual turnover.
Fines will not be reserved purely for breaches but also for administrative failings. Data subjects will have the right to request what information is being held on them, to receive it in a digital format and will have the right to be forgotten. Responses will be mandatory within 30 days. Given Subject Access Requests formed 46% of data protection complaints lodged with the Information Commissioner’s Office (ICO) in 2015/16*, we can expect those figures to increase substantially given the increased demands on organisations.
Cost of data breach
A 2016 Global study by Ponemon Institute** identified that the average consolidated total cost of a data breach is $4 million. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased from a consolidated average of $154 to $158. In addition to this cost data, the study puts the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
Not only are the chances of material breaches increasing but the costs of handling regulators investigations and fines are also increasing.
Damage to shareholder value
So significant is the risk to organisations of poor information security management that it is certain to form part of any due-diligence. For organisations looking for funding, mergers or acquisitions it’s worth considering what a breach, or indeed regulatory investigation, might do to your negotiations. We only need to look at the negative effect a major breach had on the Yahoo / Verizon deal last year for evidence of this. Meeting an independently certified information security management standard such as ISO 27001 gives validation to security credential for all stakeholders.
It’s not all about the threats! Whilst non-compliance and poor information security management do pose significant risks there are opportunities for those well prepared to meet more stringent legislation.
Competitive advantage - demonstrating early compliance, along with a robust information security management system (ISMS), will make you more attractive to customers, and to your supply chain who are equally looking to comply. It’s not just about winning new business, it’s about retaining your existing work and securing your valuable suppliers.
Demonstrating information security credibility - breaches can happen to even the most diligent of organisations. But, with compulsory notification to regulators you can be assured of an investigation should a major breach occur. Of course, they will look for regulatory compliance but they will also look for good information security practices. Demonstrating effective policies and processes are in place is simple with a UKAS accredited ISO 27001.
Cost of compliance - there will be no avoiding the additional costs of compliance to GDPR. The opportunity is to manage it efficiently, hence keeping those costs to a minimum.
For many organisations, GDPR is the elephant in the room. But simply ignoring it is not an option. There is much to consider and put in place, and a short time to do so. It’s why we recommend immediate planning.
Following the ICO’s 12 Steps to GDPR Preparation is a great place to start and we’ve included that as a project framework within ISMS.online.
But for those organisations looking to build trust with customers, staff, their supply chain and with legislators, there is an additional step to consider.
Achieving ISO 27001 demonstrates that your organisation has met the requirements of this internationally recognised best practice standard for information security management systems. By working to the standard you will have already addressed some of the compliance requirements in GDPR.
Doing it with ISMS.online means you can follow pre-built frameworks, adopt accredited policies and use a range of tools to help you manage the required processes for both ISO 27001 and GDPR.