Intelligent CISO Issue 13 | Page 29

? editor’s question ALAN CALDER, CEO OF VIGILANT SOFTWARE S adly, not what it should have been. The ICO has a 12 to 15-month investigation cycle, so it’s still dealing with regulatory action against breaches that happened under the old Data Protection Act. What we got was a big drive up to and on May 25 where organisations tried to get something like GDPR compliance in place but in truth, from a regulatory standpoint, very little has since happened. Many organisations are going ‘well we didn’t really need to do that, there’s no fines, there’s no regulation so we’ll just go back to what we were doing’, which means a lot of them are in for a nasty shock in a couple of months’ time when fines and so on start appearing. Apart from an increase in the number of data breaches reported to the ICO www.intelligentciso.com | Issue 13 in the UK, both by data controllers and through complaints from data subjects, the reality is that I don’t think we’ve seen any significant change in corporate behaviour. I think most of the change is still to come, and that the maxim ‘the GDPR is a journey, not a destination’ will be proved true over the next three to five years. If you look at the ICO’s website, you’ll see there’s new regulatory action being taken every month, so it’s not as though the ICO is not doing anything – it just takes time. If a breach is reported on May 26 2018, there’s no way you’ll get a decision and a fine much before June 2019, because the Information Commissioner has a backlog of investigations. She must decide which ones to investigate and the ICO itself has a relatively small team so there’s a lot of organisations she doesn’t have time to investigate. She has to find out the truth, negotiate an outcome, issue it – and all that takes time. I think most of the change is still to come, and that the maxim ‘the GDPR is a journey, not a destination’ will be proved true over the next three to five years. 29