GDPR: Beyond the regulation
Adopted last April, the General Date Protection Regulation is due to come into force across the European Union from May 25 2018.
Adopted last April, the General Date Protection Regulation is due to come into force across the European Union from May 25 2018.
The European Union’s impending General Data Protection Regulation (GDPR) is an intimidating prospect for businesses of all sizes. By May 2018 a company holding any European citizen’s data will have to comply with the new regulation – which replaces the current data protection directive known as Directive 95/46/EC – or face fines of €20m or 4% of its annual turnover; whichever is highest.
This has enormous ramifications. For example, one of the UK’s largest telecommunications operators TalkTalk, which was hit with a record fine of £400,000 this year, – could have faced a penalty as big as £46m (€54m)under GDPR, based on the company’s annual global revenue reported in 2016. It has been estimated by payment card industry watchdog the PCI Security Standards Council that UK business could collectively face up to £122bn in GDPR penalties if breaches continue at the unrelenting pace we are currently experiencing. With most UK businesses (and their EU peers) unable to answer where their critical data lies, it’s clear that the next 18 months is going to prove an uphill battle.
Following the news belatedly revealed earlier this month of the world’s largest data breach suffered by Yahoo back in August 2013 – where over one billion users’ data was stolen – data security and privacy have never been as important. The information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions associated with the accounts. The type of information stolen was then likely sold on the dark web for criminals to commit further identity fraud, which they’ve had plenty of time and opportunity to carry out.
Not only was the breach undetected for three years, but to add insult to injury it was only brought to Yahoo’s attention by a third party. While it’s unclear who was behind the initial breach, it was confirmed as separate to the one that Yahoo suffered in 2014 and revealed only in September this year.
Burden of responsibility
The responsibility of protecting customer data rests with the organisation, and in this case Yahoo did not do enough to ensure that its users were adequately protected. This breach underlines the need for regulation such as GDPR. Hopefully, once the legislation is in force, the repercussions of suffering a data breach will motivate organisations into taking action to secure the customer data they hold, and notify relevant bodies of any problem without undue delay. Fundamentally, consumers entrust their private information into the care of businesses and they should rest safe in the knowledge that it is kept in a secure manner.
Technology plays a role in mitigating the risk of a successful attack, but businesses have a history of layering poor security solution on top of poor security solution rather than addressing the heart of the issue. Once businesses start getting basic security right with an effective and comprehensive cybersecurity strategy, the rest should fall into place. Companies need to be running fully updated software, performing regular security audits and penetration testing the infrastructure.
History has proven that until now many businesses haven’t taken cyber security seriously enough and the GDPR regulation hits them with high levels of ‘parental controls’. This should increase accountability and awareness of the consequences of breaches. However, regulation can only go so far. If companies were to focus on best practices, complying to regulation wouldn’t be an issue.
In essence, GDPR imposes a requirement for businesses to consider what their critical assets actually are, and how they protect them in depth. This is a crucial starting point to any set of connected activities. Putting their most important intellectual property (IP) and assets at the centre of a security strategy means that firms are compliant through end-to-end best practice and not as a result of a meaningless ‘tick box’ governance and compliance exercise. Security does not need to be a problem if key data assets are adequately protected.
As we move into the new year cybersecurity is going to be high on the agenda across Europe, marking the mid-way point for businesses to prepare themselves for GDPR legislation. Most companies now acknowledge that data assets underpin the vast majority of their business operations, whether directly or indirectly. In the current security landscape there is the opportunity to use security as a differentiator from competitors and attract new customers to their service.
First, however, organisations need to improve their general knowledge about their data – particularly what exactly they hold, where it is, and how to properly protect it. This task will be of particular importance in 2017.