These are the top 5 concerns IT leaders have about the GDPR

Tom Allen
clock • 5 min read

The lack of clarity is making business leaders nervous

Breach reporting

The 72-hour time limit for locating data also applies to the reporting of data breaches, once one has been discovered. Computing's research, prevented at the IT Leaders' Club, showed that 53 per cent of companies are in favour of this move, while almost 20 per cent were not.

One attendee mentioned that there was a challenge in knowing when data has actually been leaked, and another was unclear in what the actual regulation was: should you report the breach when you become aware that you know it has happened, or when you become aware that it might have happened? In other countries that require breach reporting (the Netherlands, for example, effectively fast-tracked the GDPR two years early), it is "When you become aware." However, that was not seen as a clear answer, and the assembled CIOs agreed that case law was needed.

The onus will be on companies to report breaches to the ICO, but the regulator has already acknowledged that there will be a "huge" burden on its staff: no more funding is being made available to deal with the flood of reports that are expected once the GDPR comes into effect (SMBs are more likely to suffer a breach than large firms). This means that the backlog is likely to grow very quickly - especially if any breach (sending an email to the wrong person, for example), needs to be reported. "Sounds like we need data breach reporting as a service!" one attendee quipped.

Fines

On the topic of regulators, there was some confusion about when and how fines would be levelled at companies who have contravened the GDPR. The law states that those guilty of doing so could pay between 2 and 4 per cent of global annual turnover - but, yet again, the issue is unclear.

"We're in 250 different countries," said one CIO, "and we have a three-person office in Tunisia. If they have a data breach, could that carry four per cent of $7.8 billion?" Another worried, "Am I liable if a client gets breached?"

"You have to assume that this isn't a money-making scheme," said another attendee. "If you have done your best to do the right thing, then the expectation of the legal profession is that you will be treated sensibly and leniently. On the other hand, if you've just been hoping that it won't happen to you, and suddenly it does, then you will be hammered."

One CIO also wondered how realistic it is to expect fines to be applied to countries that are not headquartered in EU states, such as Apple or Google. Will it even be worth the effort for regulators to pursue these breaches? Another attendee replied, "It'll go through international courts and it'll take…potentially years. We'll have to wait and see."

Definitions

At the end of the day, many of the concerns that IT leaders have over the GDPR come down to a lack of clarity. What is personal data? What constitutes a data breach? How much personal data do we need to track? We wrote an article on this subject last week.

If one thing about the GDPR is clear at this point, it is that nothing is. There remains a huge amount of confusion in the IT industry, and lawmakers must work quickly to reassure companies who will be affected by the regulation.

You may also like
Data breach at French unemployment agency exposes 43 million people

Hacking

Hackers infiltrated the France Travail's IT systems

clock 15 March 2024 • 2 min read
'Like a stalker': Data broker LiveRamp reported to UK, French regulators

Legislation and Regulation

'This kind of opaque identity monitoring cannot be part of our future digital society'

clock 04 March 2024 • 3 min read
Regulation has made EU firms less data-hungry

Legislation and Regulation

GDPR has cut storage and processing

clock 21 February 2024 • 2 min read

More on Finance and Reporting

Capita reports £107mn annual losses, blames cyberattack

Capita reports £107mn annual losses, blames cyberattack

Capita's share price plummeted 54% since the attack

clock 08 March 2024 • 2 min read
Salesforce's Benioff: 'This must be the year of Data Cloud'

Salesforce's Benioff: 'This must be the year of Data Cloud'

Makes light of customer's AI bungle, as Q4 profits up 10%

Wade Tyler Millward
clock 29 February 2024 • 8 min read
Nvida revenues rise 265% on AI chips

Nvida revenues rise 265% on AI chips

Looks set to make Nvidia more valuable than Amazon and Alphabet

John Leonard
clock 22 February 2024 • 2 min read