2018 brought about a major shift and more clarity in the world of individual data privacy. Last month marked the one-year anniversary since the European General Data Protection Regulation (GDPR) was introduced. The regulation was an attempt to unify the existing data protection legislation put in place by individual EU member states. GDPR is designed to guide businesses in protecting the personal data of EU citizens and covers any data that could be used to identify an individual. This includes medical records, genetic or economic information - these elements are the target of a data breach.
The GDPR required all organizations to report certain types of personal data breaches to the relevant supervisory authority. The regulation indicates that you must do this within 72 hours of becoming aware of the breach, where feasible. It’s interesting to see how effective the new regulation has been and where do organizations stand when it comes to GDPR compliance. Let’s have a look at the status quo of businesses under GDPR regulation since it was introduced.
Lack of Board-level Awareness
Headline-grabbing fines indicate organizations are characterized by poor board-level awareness, lack of data management priority, untrained employees, and keep postponing or ignoring security investment. In the three months since GDPR was introduced, the Information Commissioner’s Office (ICO) said it had found evidence of being unprepared, or lack of willingness on the part of senior executives to disclose sensitive data to blame for uncooperative breach notifications. If you struggle to make the case for cybersecurity in front of your board, my colleague wrote a blog on how to talk about cybersecurity in your organization.
EU Full of Data Breaches
A recent DLA Piper report offered an analysis of data breaches across the EU, their reporting mechanism, the GDPR fines and how the breaches were spread across the EU. What happened from the time the new regulation was introduced to the issue of the report and what do the numbers indicate?
The report reveals that 59,000 incidents were reported to the regulators (the numbers were collected from EU countries and collected by DLA Piper –however please note that not all EU members disclosed such information). These range from minor breaches, such as emails sent to the wrong person as an error, to major hack attacks that make headlines. The UK was among countries who had the most data breaches notified. To date, according to the report, 91 reported fines have been imposed under GDPR. The highest fine is the £44 million when the French data regulator fined Google for breaching the data protection laws.
Protect Against a Data Breach
It’s important to understand what GDPR Compliance means to the IT Security Professional. One significant problem seen in the security industry is businesses' inability to detect threats in time to act. Unfortunately, security is usually delivered with a broad brush across organizations, the specific risk to systems not well understood or assessed in detail. The recent Hiscox Cyber Readiness Report highlighted some key deficiencies in UK investment and behavior in comparison to our European cousins with reduced spending, less organizations with specific security staff in house and a lower percentage voicing that they had made changes because of regulatory changes.
How many businesses have their own Security Operations Centers (SOCs) or threat intelligence teams that understand the threat landscape, structure of cyber attacks, and thus configure and tune the security infrastructure to detect these threats? In the end doing this is unlikely to add business value so investment is low, security monitoring and assessment is a prime candidate for a buy not build approach.
Is Your Business GDPR compliant?
Why do I ask—even after one year? Because being GDPR compliant is very complex and very important. It requires detailed strategy and collaboration with all stakeholders in your chain, as well as a realistic, solutions-based approach to breach and threat detection. We can’t just hope for data breaches not to happen; in order to comply, you need to make sure your IT security posture is robust or suffer the consequences of non-compliance.