With British Airways being slapped with a USD 230 million fine over the infamous 2018 data breach that exposed data of 500,000 customers, security leaders across the globe are on high alert – all thanks to EU’s unforgiving data protection act, GDPR.
The General Data Protection Regulation mandates that violators are liable to face a fine of €20 million, or up to 4 percent of its annual worldwide turnover, whichever is greater.
CSO India speaks to two very well known information security and privacy law experts to understand if GDPR is the enforcer we need to keep organizations, both big and small, on their toes and take customer data seriously.
In wake of British Airways’ massive fine and the possibility of Marriott facing a USD 123 million penalty, one needs to ask if GDPR is actually a harsh act. Not really, says cyber and privacy law expert, Prashant Mali.
“GDPR is not tough it just wants organisations think differently towards their approach towards privacy,” he says. And it’s not just a legal risk for companies – “GDPR non-compliance is not just a legal risk, but also a financial and reputation risk to organizations where it’s applicable,” he adds.
Jaspreet Singh, Partner – Information Security at EY, also believes that GDPR does a great job in keeping companies in line. “The supervisory authorities are more vigilant than ever in responding to non-compliant cases which makes it pertinent for the organizations to ensure a strong privacy posture across the ecosystem,” he explains.
Lessons for the CISO
Make no mistake, GDPR goes way more than merely ticking off boxes in a checklist. Changes have to be made at a fundamental level, encompassing people, processes and technology.
“Changes are required in the core and culture of the organization to ensure due importance is given to privacy management. It demands intensive planning, concentrated effort and significant budget from the organizations, therefore making it a tough privacy law,” explains Singh.
The CISO’s role in GDPR compliance. Singh believes that the CISO can plan their organization’s GRC journey considering the current changes in the business environment and trends.
In fact, Mali opines that the new age CISO, in addition to possessing the required tech skills, should also pursue a professional course or degree in law.