GDPR One Year On: What have we learned?
In analysis / By Phil Muncaster / 05 April 2019
Almost a year has gone by since the biggest change to Europe’s privacy laws in a generation came into force. GDPR turns one in May, and according to the latest figures it’s already having a positive impact on organisations in terms of transparency and accountability. However, being open and honest will only get you so far. For those in professional services, it’s particularly important to use this opportunity to improve corporate cybersecurity.
Not only will it help to avoid the GDPR fines that are landing with increased regularity, but in so doing, can also protect your hard-won corporate reputation.
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of data protection laws that give EU citizens more control of how their personal data is used by businesses. As we are in the digital age, these new laws were designed to reflect that; bringing in regulations on personal data, privacy and consent. With data such as our names, addresses and credit cards being handed over to organisations, it was important that this became regulated effectively.
First Year of GDPR
Ever since the starting pistol was fired on 25 May 2018, commentators had been waiting for regulators to levy the first major fine. After all, this was the law that introduced potentially astronomical fines of up to 4% of global annual turnover (or £17m, whichever is higher) for non-compliance. In the end it came, perhaps unsurprisingly, at the expense of a US tech giant. Google was hit with a €50m (£44m) fine by a French regulator in January for failing to properly inform customers on how it personalised its ads.
However, it’s not alone. Although there have been no more fines quite that size, regulators have been increasingly willing to penalise those seen to be failing on compliance. Most recently, the Polish regulator (UODO) slapped a £187,000 fine on a firm for its failure to notify consumers about using their personal info. As of February, DLA Piper claimed there had been 91 fines issued — most of which related to breaches of personal data — and over 59,000 breach incidents reported to regulators.
This is particularly important for businesses operating in the professional services sector. Why? Because the sensitive data they handle and trusted links to client organisations make them a lucrative target for hackers.
According to a study published by the National Cyber Security Centre (NCSC) in 2018, £11m of client money was stolen over the preceding year and 60% of law firms reported an information security incident — a 20% year-on-year increase.
An attached report highlights the top four threats facing the sector as: phishing, data breaches, supply chain and ransomware attacks.
Importance of Backing Up Data
While the link between data breaches and GDPR is well understood, the potential impact of ransomware on compliance may be less so. Ransomware attacks typically make an organisation’s data unavailable, rather than steal that data for sale on the dark web. However, according to Article 32 of the GDPR, IT teams must put in place the “appropriate technical and organisational measures” not only to secure the data, but also “to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
This makes backing up an essential requirement for any business, if the worst-case scenario happens and they fall victim to a ransomware attack. But the devil is in the detail. As World Backup Day on Sunday 31st March reminded IT leaders, best practices require following the 3-2-1 model: three copies, on two different media, with one off-site (e.g. in the cloud). Otherwise, ransomware may find its way into the backup data stores.
It’s these details which make the difference between cyber protection that works, and a strategy which may actually give the organisation a dangerous false sense of security. You may nominally have disaster recovery and incident response plans, for example, but when was the last time they were tested effectively?
Similarly, you might have watertight server and network security in place, but if your employees are still using password-only logins for accounts; it’s the equivalent of locking the front door to the house and leaving the windows open. As I revealed last year, researchers found over one million email addresses and passwords linked to the UK’s top 500 law firms, up for sale on the dark web. They’d been used by employees to log-in to third party sites like LinkedIn which were subsequently breached. Such troves of corporate log-in data are increasingly common on the cybercrime underground.
Time for Cyber Best Practices
It’s not easy being an IT security leader. Along with the growing risk from hackers, there’s new digital infrastructure to protect, including cloud deployments which have expanded the corporate attack surface significantly. That’s not to mention persistent industry skills shortages which can leave IT security teams stretched to breaking point.
However, by following best practices it is possible to reduce cyber risk and improve GDPR compliance efforts. It’s all about convincing the regulators you have the best interests of customers and employees at heart. This doesn’t require spending millions on flashy technology, but nor does it mean doing the minimum you believe is necessary to stay under the radar.
Cyber best practices don't just apply to desktop either, keeping mobile devices safe and GDPR compliant is just as important; especially with more and more people opting to use these devices as their main piece of equipment. We recently gave HWB Accountants some tips on how businesses can keep mobile devices secure, read the full blog on their website here.
GDPR Essentials for Businesses
Consider the following as a start:
- Endpoint, network, server and web/email gateway protection, ideally from a single reputable provider
- Tight access controls (least privilege) and multi-factor authentication (MFA)
- Continuous networking managing which monitors for threats
- End-user education (i.e. phishing simulations)
- Keep all devices and software up to date
- Follow best practice standards and frameworks. Start with Cyber Essentials. BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS) could also help
- Consider outsourcing some or all security functions to a managed security services provider
Above all, remember that GDPR compliance is not a single process that you can tick off and move on. It will require constant attention and a close eye on what regulators are demanding, as requirements may change over time. Follow the ICO for updates.