SEC Business Breakfast EU GDPR: “Pretty Little Lies – Stop Fooling Yourself”


Time is running out. Only about 400 days are left until the EU general data protection comes into force. Many companies may still not be conscious of their obligations.

SEC Consult Business Breakfast EU GDPR: “Pretty Little Lies – Stop Fooling Yourself”

EU General Data Protection: The 5 Biggest Lies, Which Will Ruin Your Company

Markus Robin, General Manager SEC Consult, and data privacy expert Dr. Rainer Knyrim welcomed 50 enterprise representatives of different industry sectors to talk security. Both experts explained the new rules of the EU general data protection and highlighted necessary steps, which companies should already have taken or should take now.

Once more, the IT-Security company SEC Consult invited representatives of economy, finance and public service to join the SEC Business Breakfast. On March 2nd, 2017 in Vienna Markus Robin and Dr. Rainer Knyrim informed a keen audience about upcoming EU general data protection regulation. Companies must meet organizational and technical protection measures in the areas of privacy and data security – proven and documented. The biggest problem: Many companies still do not recognize the huge effort the new law brings with and run the risk of deceiving themselves. So if you are telling yourself the following, please consider also the answers of our experts:


You Tell Yourself, That


1.  …there is still enough time to implement all necessary steps to be “data-ready”?

If you think 400 days are enough time to fulfil all the conditions, than you have already done the following: You have appointed a project manager, who defined the SCOPE and classified all data. He or she knows how far the security measures comply with the latest state-of-the-art technology. Furthermore, the project manager is responsible for regular testing of all security measures, so you have already done things like DDoS or penetration tests. If these steps have not been taken till now, then you have to hurry up and start with these actions.


2.  …you don’t have any sensitive data in your company?

If you are sure that you are not processing sensitive data in your company, you have already asked yourself what type of data is being processed and the purposes for which this is done. Maybe the answer of this question shows that, your company is not storing data including facts about religion, health, sexuality, finances or other very personal information. But in reality it’s different: Probably you still collect data from your employee’s sick leaves or store application forms of different candidates. These processes are already creating sensitive data in your company. In that case, EU general data protection is also affecting your company. Therefore, you should classify your data, look for contamination and start a deleting process of old data, because there is no need to store it forever.


3.  …you would rather prefer to pay the penalty, than fulfilling the new regulations?

“Companies have to face a massive penalty increase: In earlier days they had to pay fines up to 10 thousand euro, now we are talking about forfeits starting with 10 Million Euro”, Dr. Knyrim explained. The penalty for violating the necessary measures will be defined by the realised preparations, but can lead up to 20 Million Euro or four percent of the prior-year-sales. “Companies should consider that implementing cybersecurity measures is a lifetime investment, which guarantees business on a high security level”, Robin emphasized. Therefore, it’s not just about fulfilling law order, it’s also about offering a save workplace and being a responsible business partner.


4.  …you don’t need an implementation partner for that?

Companies need to know the rules of data processing. It’s not enough to appoint a data protection officer: In case of data abuse, a company has to inform the competent authority within 72 hours. The reality shows that the organization of such reports within three days often fails because of the internal processes. Therefore, an implementation partner who offers an emergency hotline is the best solution. Apart of the daily business, an external partner is able to focus on the incident. Furthermore, an implementation partner is a great support to fulfill the requirements concerning information and documentation obligations and transparency demands.


5.  …you have critical and vigilant employees?

Social engineering, phishing attacks or “fake president frauds” – these days’ cyber-attacks that trap employees are common. Companies need to integrate employees proactively in their security measures. They need to know their rights and tasks and how to handle sensitive data. Workshops on a regular basis can help to prevent data leaks or abuse caused by unawareness / human error. Therefore, critical and vigilant employees complete a sustainable and elaborate IT-Security strategy.

Facing the remaining 400 days it’s now the time for the truth: If you don’t start a risk analysis and prepare an implementation plan IMMEDIATLY, you will not be able to fulfil all conditions till May 25th, 2018.

Companies should start to deal with the new organizational and technical legal requirements as soon as possible. “In case of data abuse the competent authority considers the realised preparations in the level of penalty. So it’s never too late to start with the implementation,” Markus Robin told the audience. Therefore, the budget for IT departments is no longer a nice-to-have for companies, from now on it’s a must-have. “With every lost day the complexity of the implementation increases. With only little time left, companies really should work with external experts, who are not integrated in the daily business”, Dr. Knyrim adviced.


Join the next SEC Business Breakfast to be updated about cyber security issues and REGISTER NOW


About the SEC Business Breakfast: SEC Business Breakfast is a networking series by SEC Consult about actual cyber security topics that addresses chief information officers. A casual environment with delicious breakfast provides space for networking and discussions but also insights and recommendation from security experts.