GDPR One Year On – What’s Changed?

GDPR

GDPR has been with us now for just over a year – so what has changed during this period?

Businesses are now much more proactive in their approach to cyber security instigating robust systems and procedures to combat the threat of hackers.

http://cyberbrokers.co.uk/gdpr-data-protection-but-not-as-we-know-it/

The ICO have just published a report “GDPR – One Year On” which sets out a review of its first year in operation.

https://ico.org.uk/media/about-the-ico/documents/2614992/gdpr-one-year-on-20190530.pdf

Countering the Cyber Security Threat

The risk of a data breach is also now higher than ever with the changing cyber risk landscape. New ransomware strains and malware are evolving so keeping up to date protections in place is vitally important. GDPR is a clear driver of the approach that the C Suite has to instigate to protect and secure their businesses.

Among the many areas that IT Security has focused upon is back-up which is essential in protecting data. This makes it retrievable in the event of a compromise of data due to a cyber-attack.

Change in Philosophy

GDPR was a long time coming and businesses have struggled to find the resource to put in place processes to achieve compliance. Some were ahead of the game and some struggled to meet the deadline of 25th May 2018.

The philosophy to cyber security has also reached an engagement point where businesses are looking beyond GDPR. Businesses are now seeking cyber security accreditation’s such as ISO27001.

Global Effect

Other countries are also taking note of the impact that GDPR is having and bringing in similar legislation of their own.

For example the California Consumer Privacy Act (CCPA) which comes into force on 1st January next year.This provides consumers with certain rights over their personal data which is held by businesses  and is an obvious parallel with GDPR.

GDPR Fines

Regulators to date have issued in excess of 200.000 fines of which 65,000 were related to data breaches . Fines totalled E56M which includes the E50M levied against Google by the Irish Data Protection Commissioner. In this case new users were inadequately advised how personal data was collected and how this was subsequently used.

The fear of potential fines being issued of up to 4% of global turnover of a business by the regulators has not materialised yet. However from a speech made by Elizabeth Dunham , the U.K. Commissioner of the ICO recently stated in a speech that this may be about to change later in the year. The ICO it is understood have a couple of very large cases that are currently being reviewed.

Both Equifax and Uber have been fined over the past twelve months but this was under previous legislation and not GDPR.

The impact of GDPR  does appear to have improved cyber security standards. We are however waiting to see how regulatory bodies will impose the full force of non-compliance in the event of a cyber-attack that results in a significant data breach.

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

GDPR – Data Protection But Not As We Know It

GDPR

On the 25th May the General Data Protection Regulations ( GDPR ) comes into force which will change the whole world of how personal data is managed for individuals that live within the EU member states.

The concept behind this is to give people back control of their data which imposes strict data protection obligations on businesses and provides individuals with the right of redress should their data not be managed in accordance with these regulations.

Despite the fact that the UK will be leaving the EU next year, the regulations will apply to UK businesses after which these will then be replaced by the proposed Data Protection Bill that will impose similar data protection regulations.

GDPR is arguably long over due, in the UK we currently have the Data Protection Act 1998, to put this into context at the time that this was implemented , there are analogue television and dial – up internet…. .. The increase in the use of personal data has increased dramatically since then due to the advances in technology and how people interact with the many modes of communication such as social media.

In the UK the Information Commissioners Office (ICO) will monitor and regulate the GDPR. The ICO website provides a guide to businesses explaining their obligations and to help those individuals who have day to day responsibility for data protection within their organisation.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

In order to help businesses prepare for for these new regulations the ICO have published “Preparing for the GDPR – 12 Steps to take now

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

What types of data does this apply to ?

This relates to any information which is personally identifies an individuals and includes the following :-

Names & addresses

Passport Number

National Insurance Number

Photographs

Biometric data such as fingerprints , iris scanning and voice recognition

The Dangers of Non-Complaince 

The profile of GDPR is gathering moment and no doubt individuals will wish to be aware of the amounts data that is held against their name. With this will bring about situations where individuals request details and these are unavailable due to non-compliance with business being unable to produce the information at all or within the required time limits.

The other issue and the one with the most significant consequences is where a business suffers a data breach as a result of a hacker attack or an perhaps an error or deliberate act by an employee, the details are then disseminated into the public domain or used for ill gotten gains. The ICO has powers to issue fines of up to 4% of  worldwide turnover of a businesses or 20 million Euros whichever is the greater. This is an uplift from GBP500,000 under the current regulations, this therefore represents a significant increase and demonstrates that a serious non-compliance will have severely consequences.

Managing GDPR

It will be essential that the correct processes and procedures are in place and in the event of a data breach it is important that an incident response plan is readily available whether this having been drawn up internally or with the help of a specialist consultancy. The incident response plan will consists of various vendors to help manage the breach such as lawyers and public relations consultants.

A cyber insurance policy provides such resources and is offered by insurers on a 24/7 basis should the policyholder be subject to a data breach.

The management of these new regulations within a businesses is going to be a fundamental focal point going forward with personal at all levels needing to be aware of their day to day obligations in the processing and handling of data.

Image : Shutterstock