Monday, December 11, 2017

Thinking about the fine

Stepping on the accelerator is the first reaction when a car trip is made and for some reason the time is stuck on the heels. In case of becoming aware of what is being done, the first thought that usually comes to mind is the cost of the fine or even the way to avoid it. The existence of sanctions penalizes a behavior that, not only dangerous, can also be deadly.

In the cybersecurity sector when we talk about fines, what comes to our head is the GDPR and its imminent arrival in companies, and with it the sanctions. When talking about regulations it is important to highlight the voice of the experience through the interview that NNT, provider of cybersecurity solutions, made to David Froud. With more than 18 years of experience in information security, including regulatory compliance, privacy and data protection, David Proud currently serves as Project Leader for several Fortune / FTSE clients, conducting hundreds of on-site assessments. world level. 

When we talk about GDPR regulations, we must bear in mind that time is against and that the time to implement implementations is becoming increasingly scarce. So far, the fact that this new regulation would bring fines for breach of up to 4% of global income, but David Froud brings some light on this issue and clarifies doubts: "Unfortunately, there (with the goal of avoid fines) is where most organizations start, and everyone makes a mistake! I see this panic-inducing rhetoric in almost all cybersecurity publications and, in my view, should be better informed. "Despite being an extended information, Froud explains that it is not true:" The actual facts are that, First, the GDPR turns below 95% in respect of enforcing the right to privacy, since the loss of privacy is not possible through data breach. Secondly, the maximum fines for any organization is 2% of its "annual turnover", even in the face of the most atrocious loss of data due to non-compliance, not 4%, as is being said. Finally, the fines are totally discretionary, and an appropriate security program will significantly reduce any fine imposed. "But what David Froud tries to make clear is that despite denying the hoax over fines, that is not what should worry the companies.

When it comes to clarifying doubts regarding the GDPR regulation, David Froud seems to have it clear: "In the first place, the security of the data is not equal to privacy. In the same way that the loss of data due to non-compliance doesn´t, in itself, amount to a loss of privacy. It's what it does with the stolen data that have the privacy implications. In addition, data security represents less than 5% of the 778 lines of all GDPR articles, and PCI DSS is, in my opinion certainly skewed, no more than 33% of a true security program. "

It is important to give voice to the opinion of an expert in the field of safety and regulation about the best approach to follow when undertaking a GDPR project: "The most important point that must be faced is that most of the GDPR it refers to obtaining the explicit consent for the collected personal data (or other legitimate factors of interest), and only using that data for purposes in line with the permissions received. "This statement encourages a rethinking of the final objective of the GDPR and how it should Influencing companies and their strategies: "As such, the GDPR regulation should be approached as a corporate governance project, not as a cybersecurity project. My point of view would be to clarify this understanding first, then establish a team within the organization with the administration of a privacy expert but that includes sales, marketing, human resources and, of course, information technology and security. "

It is surprising the lack of information, or even the existence of erroneous information, about regulations that should be implemented in such a short space of time. When the experts offer their opinion about regulations, they advise to delay the GDPR fines at the end of the list of concerns. An appropriate security program will decrease risk levels, which should certainly be much more important than a sanction.


Post a Comment