How has GDPR affected cyber security since it became law?

March 22 14:21 2019 Print This Article

Businesses that overlook their data protection responsibilities now face the possibility of huge fines as well as reputational damage

The initial fanfare might have subsided, but some universal truths remain.

Businesses that overlook their data protection responsibilities now face the possibility of huge fines as well as reputational damage.

The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, aims to give people control of their personal data and create a high, uniform level of data protection across the EU that’s “fit for the digital age”.

The reform also sets minimum standards on the use of data for policing and judicial purposes.

But what’s been the impact of GDPR on cybersecurity? Are companies increasingly looking afresh at the systems and procedures they have in place to safeguard their digital assets?

Denis Burke, director of risk and advisory at accountants and auditors BDO in Manchester, explained: “In the age of digital disruption, businesses need to be horizon-scanning for cyber threats on an ongoing basis.

“The landscape is evolving at an incredible pace and cyber criminals are sophisticated in identifying new ways of penetrating IT infrastructures.

“We’re currently seeing a lot of phishing attempts purporting to be HMRC tax refunds.

“As we approach the one-year anniversary of the GDPR legislation, we’re coming to the end of the transitional period and we anticipate that the Information Commissioner’s Office will come down hard on businesses that can’t demonstrate sufficient control and protection over the data they own – especially if they subsequently have a breach.

“With fines of up to 4 per cent of an organisation’s global turnover or £17.5m, whichever is higher, businesses must continue to sharpen up procedures.”

And last autumn the Knutsford-based Information Commissioner’s Office – which polices GDPR – announced that it planned to evolve the way it calls on companies to protect data.

GDPR mandates organisations to conduct data protection impact assessments (DPIAs) in specified circumstances.

DPIAs are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.

In essence, the European Data Protection Board (EDPB) called on the ICO to update its DPIA guidance – which it subsequently did – to slightly relax the circumstances under which DPIAs need to be conducted.

But Burke maintains that some of the main risks to business continue to be from cybersecurity.

He explained: “In addition to fines for lack of compliance, businesses that aren’t on top of their security face very real risks from socially engineered attacks, ransomware and other targeted, advanced assaults.

“At the bottom end of the scale this could mean lost revenue or lost customers but in today’s climate the reputational damage that this poses can extend beyond repair with a serious breach threatening the life of a business.”

So, what can companies do?

“Vigilance is key and businesses need to be keeping pace with the changing landscape,” added Burke.

“Bearing in mind that criminals are always looking for the path of least resistance, the better controlled the IT infrastructure is, the less likely they are to become the victim of cyber crime.

“There are practical steps that can be taken to reduce the risk of attack.

“As a minimum, we’d advise that businesses conduct an annual external penetration test on IT systems to identify weak points and, most importantly, address them.

“Businesses should also run internal awareness campaigns to ensure all staff are educated on the threats and what to look out for, in particular, phishing as well as frequently conduct their own internal systems testing, paying particular attention to the entrance and exit points of IT systems.

“A great starting point for businesses looking for guidance is in the government’s “Cyber Essentials” document, which sets out a clear framework.”

The original article (and image) was originally posted here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment