It is official. The General Data Protection Regulation (GDPR) is here to stay, at both home in the UK and abroad across the EU. Prime Minister Theresa May confirmed in January that Brexit will make no difference to the UK enacting this European-wide legal framework, one that will hold companies more accountable than ever in regard to controlling and processing personal data. Coming into law in May 2018, the GDPR will financially penalise organisations that are based in or operate from the EU should they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 48 hours.
The worst case scenario for a business that is not GDPR compliant is a potentially crippling fine of €20m or 5% of its annual turnover. In fact, according to research by the Payment Card Industry Security Standards Council last year, if the GDPR had been in effect during 2015, UK organisations, from enterprises to SMEs, would have been fined a cumulative total of £122bn in 12 months. That works out, on average, to a £11m fine for each affected enterprise and £13,000 for each affected SME.
If breach rates continue to rise as they have done year-on-year in recent history, the total amount of those prospective fines will be even greater in 2018. Of course, fines are only one part of the puzzle. The damage from a breach that involves personal information may be far wider than ‘just’ a monetary penalty. And this type of brand damage can be far harder for organisations to recover from.
So, why are so many organisations still at risk? The answer to this question is not clear — but it does paint a concerning picture about the woeful cyber security policies of many UK businesses.
Complacency is no excuse
Many organisations were guilty of adopting the ‘wait and see’ approach in regards to seeing whether the GDPR was going to be mimicked in the UK or not, especially if they did not do business internationally. However, now the enterprise has confirmation that the UK will comply with the legislation, there is absolutely no excuse to not implement a comprehensive and accountable data security strategy - straight away.
Just because businesses may be at less risk of a fine for 15 months, does not mean that they are immune to the fallout of a breach. Just think back to some of the high-profile organisations to fall foul of cyber attacks in the last five years - TalkTalk, Mossack Fonseca and Yahoo being prime examples. Additionally, there is little excuse not to invest in cyber security now. The initial outlay to improve data protection is likely much less than the knock-on financial and reputational costs of a data breach. Prevention, in this case, is always much cheaper than a cure.
Boost your security stack
The unfortunate truth is that no organisation is immune to external and internal threats when it comes to data security. There are however steps that organisations can take to significantly reduce their risk. Should the worst happen, they can then prove to regulatory authorities that they have done what they can to mitigate the damage of a breach.
An effective security implementation is made up of a range of solutions, together which provide a net of protection. This could include antivirus programs, deception technologies, encryption tools, breach detection solutions, endpoint backup and real-time recovery systems. Only with all these tools working in unison can the risk of a data breach be successfully reduced.
You will get attacked eventually
The enterprise environment today is made up of three sorts of organisations — the lucky ones that are running on borrowed time, those that have been breached, and those that have been attacked and don’t know about it. This means that security professionals and IT departments must be prepared at all times to identify, mitigate, recover, and report breaches within 48 hours in order to be GDPR compliant.
Of course, the modern BYOD environment has made it exponentially harder for organisations to keep track of sensitive corporate information, with much of it stored on laptops and tablets outside of the confines of the traditional data centre. This is where advanced endpoint monitoring and backup can play a vital role.
So, with the GDPR now being an inevitability for the UK, organisations need to roll out the right solutions, focus on helping employees understand what it means to be security-savvy, and develop internal policies that promote accessibility and flexibility, whilst maintaining visibility over company data, either on the premises or off.
By Rick Orloff, chief security officer at Code42
The GDPR Conference Europe is being held on the 30th January, County Hall, London.