Can you provide some context into how data privacy regulations are being addressed post-Brexit?
Mathieu Gorge: What is happening right now is that there’s a lot of uncertainty with regards to data protection in the UK. We’re getting a lot of questions from clients as to what we can do to the transfer of data between Europe and the UK post-Brexit.
First, it's worth noting that GDPR came out in 2018, but the UK has been preparing for GDPR just like every other EU country for a number of years, and the new Data Protection Act that came out in the UK is generally in line with GDPR. If you,re not part of the EU, you need to be able to demonstrate that you have at least the same level of data protection as is required by GDPR. The question is how to prepare for that because the UK has exited the EU. So technically, they’re no longer part of that process. The uncertainty comes from the fact that there are a few months where there’s an exemption period; there’s some leeway for organisations to get started.
Second, the Information Commissioner,s office in the UK is still proceeding with inquiries, fines and so on. And in fact, some of the biggest fines issued under GDPR have been issued by the UK before they left, so, for example, Marriott and British Airways, which admittedly were brought down from around £100m ($138.6m) to £20m and £200m to £20m respectively. But they still are not very small numbers. It might be small for most companies, but they are scary numbers. And then we're also seeing other regulators in Ireland and France continuing to issue fines. So this is not going to stop.
Rowan Fogarty: Bizarrely enough, the UK was one of the leading proponents of GDPR and led the way in implementing it. Therefore, there’s an expectation that the regulations in the UK post-Brexit will remain strongly aligned with EU GDPR, and that the EU Commission would adopt the adequacy decision, which would allow data to transfer from the European Union to the UK without any further safeguards. That, like a lot of the detail around Brexit, still needs to be done. Therefore, there’s an initial four months from the end of the transition period, which can be extended to six months. Basically, it will extend to six months unless something has been agreed in the meantime. So everybody is continuing as they were previously until something happens.
The expectations were that the adequacy decision would go ahead. Recently in the last couple of weeks, because some noises have been made in the UK by some politicians about diverging from European standards, some people have expressed concerns that have applied to data protection. So it may not be possible to implement the adequacy decision. But I don’t think there’s anything substantial behind that at the moment.
In your experience, would you say companies are generally compliant?
RF: Yes and no. I still think we are ina situation now where there are people in business who consider GDPR to be an impediment to what they consider to be normal business, and therefore they have resisted it. And then there are people who believe that GDPR has now been suspended, not because of
Brexit but because of COVID, and that it shouldn’t come back because it actually worked against looking after the best interests of people in such an emergency. GDPR had all of the caveats and exclusions necessary to allow data to be shared to protect human life and human wellbeing, so that,s not very accurate. But the reality is there are still a lot of people who are anti-GDPR, and they may jump on one or another of these bandwagons.
Are smaller companies subject to smaller fines if found in breach of regulation?
MG: They might be smaller, but they’re not necessarily completely small. There’s also a caveat in the GDPR that the regulator might actually prevent your organisation from collecting personal data, which in most businesses would actually close them. And that could happen to a small business handling very sensitive data. Think of a small health practice, for example, or a small insurance company that would have highly sensitive information. It could be a very small business in terms of number of employees, revenues and so on, but potentially it might have a website or an app that is completely insecure. They still need to comply with regulation. That’s typically a last resort, though. I don’t think regulators want to close businesses in the middle of a pandemic and a recession. But, technically, it could happen.
How does VigiTrust help companies remain compliant?
MG: We provide a tool called VigiOne, which is an integrated risk management piece of software that allows companies to prepare for, validate and manage their compliance with the likes of GDPR data protection acts and so on. It includes e-learning, policies and procedures – all of the official checklists and official documents to show you’re in compliance.
In the case of GDPR, you can list all your workflows, your data protection officers and so on. Our tool allows companies to manage that on an ongoing basis.
I often say security is a journey, not a destination. So you have a few pit stops along the way. But this is actually a good case study because you might have had companies in the UK that were completely compliant with GDPR and the Data Protection Act. They thought they were doing everything right, but now something changes. The system changes, the way the system is going to be monitored is changing too, so they need to go back to the drawing board, or at least they need to update what they're doing in order to make sure they remain compliant. It’s a moving target. It’s difficult to remain in compliance, and that’s why some organisations that have good strategies will industrialise their process by using a tool like VigiOne, or some of the other tools on the market.
Can you see the pandemic having an impact on the situation in the coming months?
RF: My experience with deadlines and Brexit is that they are built to be extended. This one has already got an automatic extension in it. Will we have reached agreement on the details by six months’ time? Probably not. So chances are it will be extended.
MG: I do think, though, that the COVID element is something peopleneed to be aware of. Because with COVID, the risk surface of any organisation has dramatically increased. And the reason for that is organisations went from having maybe 10% to15% of people working from home or travelling, to 90%, sometimes 100% overnight around March last year. So we end up with people using home devices for company business from home, that are completely invisible to any type of generic enterprise network security. We have a lot of people working from home that haven’t been trained on the best practices as to how to protect your work environment when you're at home or when you travel.
And criminals are actually going after that increased risk surface. We’ve seen a huge rise in ransomware, we’ve seen a lot of new phishing attacks, and we’ve seen some very clever attacks on CEOs and C-level people. So I think this is having an impact. From a Brexit perspective, I think there’s probably going to be a few extensions here and there, but at some stage it has to stop. So leaning on the extensions is not a strategy, it’s just a tactic to have a bit more time to do the right thing.
How can gaming companies ensure they remain compliant?
MG: My advice would be for them to have a cyber security strategy that's driven from the top. So from top management, to club members, to executive suites, and that they make sure their privacy policies and their security strategy is visible to all users.
They should also have a programme truly mapped, showing their ecosystem from a technical perspective and from a user perspective, and, in general, show the technical controls they put in place: the policies, training, and a continuous aspect of that so if the regulator knocks on the door and says, “This is an area we want to regulate; we want to check if you're doing the right thing,” that companies can say they’re in control; they know where the data is and they can confirm they’re taking appropriate security measures.
In the case of online gambling - where you have credit card information from people, potentially credit history, and potentially other details – you must know all of the most sensitive information is on a need-to-know basis internally. You have to have two-factor authentication, encryption, training for technical staff, that you get external companies to pen test on a regular basis; and that you have
a GDPR programme or a Data Protection Act compliance programme, so at the click of a button, you can show where you’re in compliance, where you may not be in compliance but are working towards compliance, and you can reassure people you're doing it the right way.
Gambling obviously has a lot of reputational perspectives to it. So you need to protect the reputation of your users, and protect the reputation of your platform. You don’t want the names of your users to appear in the newspaper, you don’t want your platform to be labelled as insecure, and you also don’t want your name to appear with a fine. So, again, the way to do that is to map out your ecosystem, test it out, and make sure you can demonstrate that you’ve taken the right and appropriate measures.
Would that advice be similar for all companies, regardless of what industry they are in?
MG: It would be similar, but I think it depends on your risk surface and your appetite for risk. There’s only a few things you can do with risk. You can ignore it, which you shouldn’t, or you can transfer it, but if you transfer the operational risk to a third-party managed services provider, for example, you still own the legal risk.
You can then assess the risk and mitigate it, but eventually you end up with residual risk, and it’s that risk you need to demonstrate to the regulator that you are protecting against in the right way.
It's universal, but in the case of gambling, because of the nature of the data you have, just like health or insurance, these are sectors that are really targeted; so obviously they need to double up on security.
“Security is a journey, not a destination. So you have a few pit stops along the way. But this is actually a good case study because you might have had companies in the UK that were completely compliant with GDPR and the Data Protection Act. They thought they were doing everything right, but now something changes. The system changes, the way the system is going to be monitored is changing too, so they need to go back to the drawing board, or at least they need to update what they're doing in order to make sure they remain compliant” - Mathieu Gorge
