Is GDPR a sleeping PPI scandal with a disproportionate impact on mid and small enterprises? Channels may need to start making plans now, says one industry security veteran.
Ian Kilpatrick, EVP Cyber Security for distributor Nuvias, says the impact of GDPR in the channel has not yet started, but could soon provoke a new sort of customer reaction.
Talking to IT Europa at the Infosec event his week in London, he warned: “There are still some unconsidered implications of the GDPR introduction which mean that the channel could be busy for the next eighteen months – most small firms have ignored it, but once it is realised that all firms have to respond within 30 days to an information request, it could take on the scale of a PPI scandal."
Under the provisions, individuals have the right to obtain the following from any organisation:
- confirmation that they are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that they should provide in a privacy notice
“Imagine small firms being hit by thousands of requests for data held, which has to be found manually and delivered in 30 days. I predict a real issue here,” he says. And there is always the possibility of a malevolent co-ordinated mass request to put operations under pressure, let alone the chance for legal “ambulance-chasers” to set up money-making activities using GDPR as an excuse to harass customers.
There are other implications – such as the role of the data protection officer. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level; some firms are appointing an individual on their staff since the DPO can be an existing employee or externally appointed.
But once the DPOs realise that they are personally liable for any failures in monitoring and that their reputation and career prospects could be permanently affected, they may want to offload the job.
“This is the other area that channels are missing out on,” says Ian Kilpatrick. The provision of a data protection officer – DPO is again a requirement under GDPR for certain types of data. “But when the individuals given this job realise they are personally liable and that if found against, may never be able to find another job in data protection, they will quickly hand it on to a third party.”