GDPR Compliance Right to be Forgotten -- One Year On
2018 brought about a major shift and more clarity in the world of individual data privacy. May marked the one-year anniversary since the European General Data Protection Regulation (GDPR) was introduced. The regulation was an attempt to unify the existing legislation put in place by individual EU member states. GDPR is designed to guide organisationsin protecting the personal data of EU citizens and covers any data that could feasibly be used to identify an individual. This could include medical records, genetic information or economic information - these elements are the target of a data breach.
The GDPR required all businesses to report certain types of personal data breaches to the relevant supervisory authority. The regulation indicates that you must do this within 72 hours of becoming aware of the breach, where feasible. It’s interesting to see how effective the new regulation has been and where do organisations stand when it comes to GDPR compliance. Let’s have a look at the fate of businesses under GDPR regulation since it was introduced.
Poor Board-level Awareness
Front-page headline-grabbing fines indicate organisations are
characterised by poor board-level awareness, lack of data management
priority, have untrained employees, and keep postponing or ignoring
security investment. In the three months since GDPR was introduced, the
Information Commissioner’s Office (ICO) said it had found evidence of
being unprepared, or lack of willingness on the part of senior
executives to disclose sensitive data to blame for uncooperative breach
notifications. If you struggle to make the case for cybersecurity in
front of your board, my colleague wrote a blog on
Data Breaches Across the EU
offered an empowering lens through which to view the issue of data
breaches across the EU, how they were reported, the GDPR fines and how the breaches were spread across the EU. What happened from the time the new regulation came into force to the issue of the report and what story do the numbers tell?
The report reveals that 59,000 incidents were reported to the regulators (the numbers were collected from EU countries and collected by DLA Piper – it is however significant to highlight that not all EU members disclosed such information). These range from minor breaches, such as emails sent to the wrong person as an error, to significant cyber attacks that make headlines. The UK was among countries who had the most data breaches notified. To date, according to the report, 91 reported fines have been imposed under GDPR. The highest fine is the £44 million when the French data regulator fined Google for breaching the data protection laws.
How to Protect Against a Data Breach?
What does GDPR Compliance mean to the IT Security Professional? One significant problem seen in the security industry is businesses' inability to detect threats in time to act. Unfortunately, security is usually delivered with a broad brush across organisations, the specific risk to systems not well understood or assessed in detail. The recenthighlighted some key deficiencies in UK investment and behaviour in comparison to our European cousins with reduced spending, less organisations with specific security staff in house and a lower percentage voicing that they had made changes because of regulatory changes.
How many businesses have their own Security Operations Centres or threat intelligence teams that understand the threat landscape, structure of cyber attacks, and thus configure and tune the security infrastructure to detect these threats? In the end doing this is unlikely to add business value so investment is low, security monitoring and assessment is a prime candidate for a buy not build approach.
Are you GDPR compliant?
Even one year later I still need to ask the same question. Why? Because being GDPR compliant isn’t easy, but it’s important. It requires detailed strategy and collaboration with all the stakeholders in your chain, as well as a realistic, solutions-based approach to breach and threat detection. We can’t just hope for breaches not to happen; to comply, you need to ensure your IT security measures are robust or suffer the consequences of non-compliance.
Orfanidou 2 , Thessaloniki
Τ. (+30)2310 277 077
M. (+30)6978 188 463
F. (+30)2310 277 087
Zalokosta 44, Chalandri
Τ. (+30)2316 019 734
Member of HIBA - Hellenic Insurance Brokers's AssociationΠολιτική ασφάλειας πληροφοριών