Specialist
Former Distinguished Engineer, Privacy at Google LLC
Agenda
- Size of recent major British Airways GDPR (General Data Protection Regulation) fine vs Equifax and Facebook US regulator fines, and precedents set
- Potential for fines to spur executives across industries to re-evaluate cybersecurity spending
- GDPR readiness among companies
- Security infrastructure segments most exposed to possible increases in GDPR-related spend
Questions
1.
What is your assessment of the recent British Airways, Equifax and Facebook fines? What do they reflect about changes in the data regulatory environment?
2.
How do the US and the EU data regulatory environments differ? How are they respectively assessing GDPR [General Data Protection Regulation], or data breaches or privacy laws?
3.
Do you think boards for global companies should focus more on complying with one regulator over the other, based on those contrasting EU and US frameworks and approaches to litigation?
4.
Those 20-odd EU member states have their own internal regulators who are assessing central European GDPR law. BA’s fine was 1.5% of revenue, far below the 4% it could have been. Could another country’s regulator then potentially fine BA another 1.5% or 2% of turnover? Is that a core difference in Europe?
5.
You outlined that 95% of the laws that comprise GDPR are privacy-related, and only a small proportion relate to data breaches. Although data breaches are often more newsworthy, would it be these privacy violations that command greater fines, eking up to that 4% of revenue?
6.
How do executives across different industry verticals perceive these fines? Facebook’s and Equifax’s payments dwarf BA’s, but it remains the largest GDPR-related fine that has been implemented. How would fees such as these be impacting boardrooms?
7.
You mentioned a potential unawareness of data breach risks in non-internet company boardrooms, despite the huge fines being levelled. Near-term, do you think it will still be CIOs or CISOs having to convince boards of the importance of GDPR compliance frameworks, rather than the latter taking the initiative?
8.
One-third of European businesses spoken to in a recent RSM survey admitted that they were still not compliant with GDPR. What do you think is underpinning that? Is it a fundamental lack of understanding of what GDPR means for these companies? Is it the cost structures of being GDPR-compliant?
9.
Near-term, do you think we would be unlikely to observe 4%-of-revenue fines for errors or slight discrepancies to the GDPR regulation? It would have to be a meaningful data breach, or something pretty egregious that the company was doing internally to command that kind of fine?
10.
How many years do you think it could take a company that was formed pre-GDPR to become fully compliant? How would that split between companies such as Equifax, which are very data-heavy, relative to a retail company such as BA and vs an internet company?
11.
We discussed the forecast ramp-up in cybersecurity spend, but which subsegments do you think boards will primarily focus on? Which would you say tie in the most with GDPR compliance? A lot of it seems to be about detecting a threat, and being able to respond and report that particular threat actor or that breach.
12.
Are there any specific components on the tech side that you think will really benefit from the increasing spend driven by GDPR and these regulatory frameworks?
