• United States




GDPR – a hindrance, or just the right kick in the a** every business needs?

Sep 13, 20174 mins
Data and Information SecurityIT LeadershipPrivacy

The new GDPR framework – designed to unify data protection for individuals within the European Union (EU) – is viewed by many as just another form of regulated compliance being forced down their throats by government. However, if you take a minute to look beyond the headlines, there might just be a silver lining.

boardroom presentation
Credit: Thinkstock

Some businesses will undoubtedly see the General Data Protection Regulation (GDPR) as just another form of regulated compliance being forced down their throats by government.

If you take a minute to look beyond the headlines, however, these new rules due to be enforced on those handling sensitive personal data, might just be the exact push needed to ensure sensitive issues, which have previously been dangerously ignored, are brought to the boardroom.

C-level executives in organizations across the globe are soon going to be forced to give careful consideration to the security culture within their business, a subject that has a growing level of significance every day for multinational enterprises.

Cyber risk is still a misunderstood concept for many senior executives, even as large businesses continue to consistently suffer breaches, hemorrhage data and pay the price for it.

It’s not all bad

If organizations can prove that they did put preventative measures in place then a fine can be avoided or reduced – in the event of a breach – based on the fact that the organization had met guidelines.

An example of this is encryption within a network and on connected devices. Businesses that make an effort to ensure that data breaches only leak unreliable data will be looked upon favorably under the new regulations. As long as steps have been taken to encrypt sensitive files, fines can be reduced. The GDPR approach may just be to shame executives into finally paying closer attention and taking the steps to properly secure their companies. While this might not be a perfect solution, it does demand action which is long overdue.

All businesses (or more accurately, people) lose devices and while the cost of the hardware isn’t negligible, the cost of the data on these devices is about to skyrocket. In the past decade, we’ve already seen record fines for data breaches. In 2016, UK telecoms firm, TalkTalk was fined over $500,000 (£400,000) for personal data of more than 150,000 of its customers, exposed as a result of a 2015 cyber attack In 2015, the Financial Industry Regulatory Authority fined Sterne Agee & Leach, Inc. $225,000 when an employee lost a laptop in a restroom. The reason for such a high fine? The laptop was filled with unencrypted financial data. Since most computers and smartphones already provide built-in encryption technology, it’s a no-brainer to adopt sensible practices.

Proving that you were compliant with the new rules will not only save face, encryption can literally save a company’s reputation in the case of lost data. Under the new regulations, businesses will not even be required to (however, they should) alert those whose data they have just lost, as long as said data has been made unintelligible to rogue actors. Taking steps like these can only help businesses in the long run both from a credibility and sustainability perspective.

While small organizations shouldn’t take too much of a hit, large corporations will need to adjust how data is collected so more metadata can be made available down the line. These adjustments will very likely lead to improved data sets, making data not only complient but more easily accessible and searchable.

You need to act fast

With steep penalties on the horizon, there is a need to take action today. At a minimum, business will need to go through: evaluation cycles, management buy in, design and implementation, and company-wide adoption. Although official deadlines are 2018, in the world of security, this is a short window for many to actually bring meaningful change to long-held processes.

Although governance rules vary across borders, we recommend businesses opt to adhere to the most restrictive country’s approach in order to ensure consistency and continuity across an organization, and frankly to make implementation and management easier. An emerging trend is the addition of a DPO (Data Protection Officer) to help oversee this consistency and hold the line on compliance and governance, which, let me say again, is a requirement, no longer an option.

With rumors of stricter regulations swirling, the GDPR will be a guiding beacon and hopefully, the introduction of the data protection roles within business will usher in a new data era, one that is responsible and fair to users and that leads to smarter, more secure, companies.


Andrew Douthwaite is the Vice President of Managed Services at cybersecurity firm, VirtualArmour. In his role, Andrew has ultimate responsibility over the successful delivery of the company’s Managed Services offerings within its UK and U.S. operations. As part of the executive leadership team he also plays a vital role in formulating and implementing company strategy.

Mr. Douthwaite has over 15 years of experience in the Information Technology industry, including eight years with VirtualArmour in senior engineering roles. Before joining VirtualArmour, he held security-centric application positions within leading software and telecommunications providers. In 2002, Mr. Douthwaite obtained a BSc in Computer Science (Software Engineering 2:1), graduating with honors.

Outside of work, Andrew enjoys an active lifestyle as a junior soccer coach and fan and likes to blow off steam with early morning Crossfit sessions!

The opinions expressed in this blog are those of Andrew Douthwaite and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.