One of the most talked about topics at the June Infosecurity Europe 2017 conference in London was the General Data Protection Regulation (GDPR). This is a new law concerning data privacy which will render the implications of a data breach much more severe and comes into force in all EU countries from 25th May 2018.
It should be noted that the GDPR will affect any organisation that stores personal information on EU citizens. Under current legislation, the processing of data should happen inside the EU, unless the outside country offers a similar level of protection (for example, EU-US Privacy Shield). While the GDPR will harmonise data protection laws across the whole of the EU, which theoretically makes it easier for non-EU organisations to comply, the new requirements will be stricter which will ultimately make compliance more challenging.
The main consequence of not complying with this regulation is a fine for any organisation that suffers a data breach, and anything in that compromised data containing personal information on someone who resides within the EU. Such data can include someone’s name or address, as you might expect, but also their IP address. This law holds true of all personal data, which includes employment data and not just that of consumers. The fine can be as large as €20 million or up to 4% of annual global revenue, whichever is higher. In addition, organisations will be legally obliged to report a breach within 72 hours of it being discovered.
One question that people may have is whether Brexit will affect the GDPR. In short, it won’t. The governing body for data protection in the UK, the Information Commissioner’s Office, has already stated that it will be upholding the GDPR. While the future of UK law remains to be seen, there is a pressing urgency for organisations to get ready for the GDPR.
Everyone I spoke to at the Infosecurity Europe conference about the GDPR told me that they had started preparations, but could not clearly state how far along the compliance process they were. The fear is that many organisations are of the opinion that GDPR is a legal concern rather than a security concern. These discussions, and others, suggest that many organisations will not be equipped to avoid a fine in a year’s time.
What is the risk of GDPR non-compliance to you?
The risks of non-compliance should be considered by looking at the possible impacts and the likelihood of the occurrence of a breach. The most obvious impact is the large fine from the regulatory authorities. In addition to this, there will be the cost of informing everyone affected that their data has been breached, as well as the potential cost of removing their data should they make that request (all EU citizens will have the right, at any time, to ask for their personal data to be removed). These are the clear-cut financial impacts. There are also the impacts that are substantial but harder to quantify, such as brand and reputation damage, a decrease in trust and a negative news cycle which leads to a decrease in future revenue and lost business opportunities.
Establishing the likelihood of a breach is tricky. Data collected previously should give some indication of the probability within a 12-month period; however, organisations may not know that they have been breached and, if they do, they may not necessarily report it. While past data underestimates the likelihood of a breach, it does give us an indication.
Cisco’s 2017 Annual Cybersecurity Report provides insight into the impacts of a data breach. The organisations surveyed reported the following results of security breaches:
- 49% had to manage public scrutiny
- 31% of those breaches were disclosed by third-parties
- 23% reported loss of opportunities
- 25% of which was between 20-40%
- 29% reported loss of revenue
- 39% of which lost 20% or more
As a company that advises on security practices, it is clear to see why Cisco does not recommend running the risk of not making improvements. The idea – or misguided hope – that a breach is unlikely is simply incorrect.
Start planning for GDPR now.
Devising or updating a risk management plan in light of the GDPR is only one piece of a larger framework. Becoming GDPR-compliant requires taking a methodical and structured approach: start by understanding what is legally required, and then develop a solution. Simplistically, this process will require identifying all of the EU residents’ data held within your organisation’s estate, consolidating it into manageable clusters of data, and then ensuring that the data is secure and would maintain privacy if breached.
The determination of compliance will not rest simply upon the technical measures put into place. There must be policies that address the GDPR and staff must be made aware of these policies through training and education. Moreover, the business processes must uphold these policies. The regulator can deem that non-compliance came from a failure in culture rather than from misconfigurations in the implementation of technologies. This is why it is important to ensure that the GDPR compliance is aligned across people, processes, and technology.
The Cisco Security Advisory Services team can help to define the roadmap to becoming GDPR compliant, as well as provide support at every step along the way in the security lifecycle.
To learn more about how Cisco Security Services can help with GDPR compliance across people, processes and technology, then read more on our website here. Cisco Services can also help with conducting a Cybersecurity Management Program Assessment, intelligence-led security assessment, preparing an Incident Response plan and responding should an incident occur.