According to NTT Security, complacency could be the downfall to organisations effectively achieving Global Data Protection Regulation (GDPR) compliance
NTT Security, the specialised security company of NTT Group, says that businesses are falling into traps of complacency when it comes to preparing for the upcoming GDPR. Rob Bickmore, Principal Security Consultant at NTT Security said: “Complacency could well become an organisation’s new enemy.”
The company asserts that businesses are still unsure on the actions needed to ensure full compliance ahead of the 25 May 2018 deadline. It warns that some have proactively implemented programmes, yet found that gaps still exist, leaving them vulnerable to fines of up to €20 million or four per cent or annual global turnover – whichever is higher.
The company has launched a comprehensive portfolio of GDPR services in the UK for organisations looking for clarity about their current readiness. “Businesses know that GDPR is fast approaching, but there is uncertainty as to what specifically is required and where the focus needs to be,” Bickmore said. “Our comprehensive range of GDPR services fills the gaps and translates GDPR into a language that everyone, from the top down, will understand and be able to act upon.”
According to NTT Security, common complacency traps include a number of misconceptions:
ISO27001 is enough to cover GDPR. Implementation of controls aligned to this certifcation is a great start, but they are only part of the bigger picture.
The same exercise has already been done when planning for PCI DSS. Any controls implemented for PCI DSS will need to be extended to include Personal Identifiable Information (PII), which even then is only part of the GDPR requirements.
The organisation’s GDPR programme is being handled by the legal or IT team. GDPR compliance is actually everyone’s responsibility. It should not be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.
It is not the organisation’s problem because they have outsourced all data processing to a third party. Processors are indeed liable for protecting PII under the GDPR, but the responsibility is still on the data controller to ensure processors implement ‘technical and organisational measures’ to protect the information.