GDPR: How to squeeze security budget from the business

Bridget Kenyon, head of information security at University College London explains how the impending GDPR can help security teams increase their budgets

Security teams looking for extra funds from CEOs and CFOs should use the increased penalties for security breaches described in the impending General Data Protection Regulation (GDPR) for leverage.

That's the opinion of Bridget Kenyon, head of information security at University College London, who spoke at Computing's recent IT Leaders Forum event 'Getting ready for the GDPR'."

If you get a moment with the decision makers in your organisation, here's a simple question to ask them," began Kenyon. "Work out what the maximum fine is under the GDPR, which is four per cent of your annual global turnover. Imagine this money gets taken away, and ask the [CEO or CFO] which part of the organisation they'd be prepared to dump to pay for that fine. Then ask what they'd pay to keep it. That speaks to the core business."

Earlier at the event, Kenyon discussed the compliance challenge brought by the GDPR, which includes data discovery and the need to obtain consent from some parties if you want to harvest their data.

Kenyon also discussed what skills are needed by Data Protection Officers, a role which many organisations will need to appoint once the GDPR comes into force in May 2018 in the UK.

"Who's good at data protection? We've had two DPOs at UCL so far. One had legal training, and the one we have now worked with data protection and information governance at the NHS. People with information governance experience work very well in the context of the DPO role," said Kenyon.

Speaking as part of the same panel, Robert Bond, partner at law firm Bristows LLP, said that the DPO shouldn't be your in-house lawyer.