In the mid-90s, the average family home had a single computer that everyone shared.
Fast forward twenty years, now every British family has on average 7.4 connected devices in the home. Scale that up to the European population and that's an exponential amount of personal data being tracked, collected, and marketed.
What does GDPR 2018 Compliance Mean for Us?
The European Union's General Data Protection Regulation (GDPR), set to come into play in May 2018, is the first attempt to safeguard personal data in the new digital era. Under this EU regulation, people have the right to ask organisations what personal information they currently hold, how their data is being used, and opt-out if they so choose – including the controversial ‘right to be forgotten' mandate. By law, organisations must fulfil the request, and any failure to do so can result in costly fines. The aim of GDPR is to put citizens back in control of their personal information, and also provide a universal standard that organisations across Europe can adhere to without confusion. Every company that does business in the UK or Europe will be impacted and as a result, will need to start re-evaluating how they store, manage, capture and most importantly, protect customer data.
Thanks to the rise in data breaches and cybercrime, data protection has quickly become one of the greatest challenges companies face today. In the first half of this year, there were nearly 1000 data breaches globally and in Q1 alone, 22 breaches resulted in the compromise, theft, or loss of more than a million records. That's why the ability to detect and thoroughly understand the circumstances surrounding a data breach is important, especially under GDPR requirements.
So how can an organisation truly protect customer data and stay compliant when security risks are at an all-time high? Preparation. It may seem like a given, but having a robust cybersecurity awareness programme includes adequate breach monitoring, detection, and reporting processes that are well documented and accessible to all employees. While 78% of large enterprises do have a defined incident response and management procedure in place, 22% still do not according to research from Frost & Sullivan.
Additionally, amongst the 78% with defined procedures, 15% of users aren't aware of the organisation's incident response procedures. Worryingly, this permeates across departments that handle customer data. Support functions such as Finance, Human Resources, and Legal departments all handle data protected by GDPR, yet only 57% of UK enterprises have implemented security programmes with formal guidelines in these critical departments. These departments work with highly sensitive consumer data daily as well as data that can impact stock prices or lead to insider trading. Most large organisations also have a robust Sales and Customer Contact department, yet almost one third have implemented security programmes without formal guidelines, and 11% have no security programme or guidelines at all. These departmental gaps should raise red flags as the more touchpoints that customer data goes through, the higher the risk if not properly protected.
GDPR Breach Notification and Penalties
The new EU regulation states that controllers that fail to notify the relevant supervisory authority within 72 hours of a breach and with the required information could be subject to fines up to €10 million or 2% of worldwide annual turnover for the preceding year, whichever is greater. Being unaware of your organisation's incident response procedures can cause delays in reporting to the supervisory authority within the 72 hour data breach notification deadline and lead to increased fines and revenue loss. Learn more on GDPR breach notification requirements.
When it comes to reporting an incident, new guidance from the Article 29 Data Protection Working Party on GDPR breach notifications encourages organisations to include notification to the supervisory authority as a key step in their incident response plan. It also outlines practical steps that every organisation can implement. These include:
- Information concerning all security-related events should be directed towards a responsible person or persons with the task of addressing incidents, establishing the existence of a breach and assessing risk.
- Risk to individuals as a result of a breach should then be assessed (likelihood of no risk, risk or high risk), with relevant sections of the organisation being informed.
- Notification to the supervisory authority, and potential communication of the breach to the affected individuals should be made, if required.
- At the same time, the controller should act to contain and recover the breach.
Implementation and Solutions for GDPR
The reality is the threat landscape will only continue to evolve and at a much faster pace than most businesses are prepared for. Having an incident procedure in place is only half of the battle. Cybersecurity procedures need to be regularly reviewed and tested, ideally using next-generation pen-testing methods, to identify vulnerabilities and equip the organisation for future cybersecurity threats as well as be compliant under GDPR regulations.
As the new regulation deadline approaches, it's time for business leaders to take a hard look at their data protection and security methods and ask whether enough is being done to protect their business and more importantly, their customers. If there's scope for improvement, then act. There's no room for procrastination when an organisation's future is at stake.