Time to take GDPR seriously

Whilst the transition to digital has brought countless benefits to businesses, almost every organisation runs the risk of losing or corrupting sensitive data, either through accidental, or malicious intent. It’s common knowledge that losing sensitive commercial and customer information can have serious implications for revenue, business confidence and reputation, but the damage doesn’t just stop there.  Those who are found to have violated national and regional data protection laws face fines from regulators and unlimited bad publicity. Recent research from PwC finds that UK firms alone have spent up to £3.2m on 35 fines levied by the Information Commissioner’s Office (ICO) in 2016, double the previous year. When you consider that not all European data protection regulators publicise this kind of data, the problem is likely to be much worse than initially thought.

Plans to tackle this issue are already coming into effect. 28 of the European Union member states have agreed to harmonise their data privacy regulations with the introduction of the General Data Protection Regulation (GDPR). Whilst the UK has plans to leave the EU, it too has plans to introduce a similar regulation which will ensure that UK firms handling EU data will continue to be compliant.

So, in light of these stringent regulations, why aren’t businesses more prepared for GDPR? Our recent research shows that as it stands, organisations have varied confidence levels when it comes to the ability of their cybersecurity defences to prevent or minimise threats to their business operations, and the threats are everywhere.  The high number of hacking attacks, unauthorised network and malware instances to European businesses in recent years has only served to add to the uncertainty felt by organisations. Only 55 to 60 percent of the companies surveyed said they were confident of being able to prevent the theft of customer information, intellectual property, and end user credentials and identities which could be used to launch further cyber-attacks. Worryingly, this figure then plummets to 45 percent when it comes to preventing employees from losing or corrupting their own mission critical data. In fact, only 53 percent were satisfied that they could prevent an internal failure to follow proper auditing and compliance procedures. Regardless of sector, all organisations have work to do in order to reach the minimum level of GDPR compliance. If we’ve learnt anything from the past few years, it’s that all organisations can expect to be breached at some point, which is why it’s vital to aim higher that the minimum level of compliance.

Going beyond compliance

Our research shows that most businesses feel confident that they are ready to meet the requirements of GDPR, but there is some variation on the individual requisites. 84% believe they can meet the 72-hour data breach reporting timeframe, a directive which insists breaches must be reported to the appropriate national data protection authority within three days of the organisation learning that a breach has happened. However, only half of companies are confident that they can prevent the loss of customer data, revealing the disconnect between businesses’ understanding of the conditions of GDPR and their actual capabilities. It should come as no surprise that loss of revenue was the biggest concern for 57% of businesses. The Ponemon Institute has suggested that the average cost of a data breach is around £2.5m with those in the most regulated industries, such as financial services and healthcare enduring the highest cost per stolen record. 

There is much to be learnt from the recent breach of UK broadband service provider, TalkTalk. It’s estimated that the company spent a total of £86mil after 160,000 customer records were compromised in 2015.

When businesses stand to lose so much, there really is no excuse to gamble with compliance. There are a few things that businesses can do to ensure they at least meet the minimum requirements. 

Steps to GDPR readiness

At the very least, an organisation needs to:

• Fully understand how it is using personal data. Are they reliant on the data subject’s consent to justify the use of it, or is there another legal basis for doing so?
• Be prepared for a swift notification period. When an organisation is breached, it must notify EU data subjects within 72 hours after the breach has been realised.
• Document, document, document.  Establish clear, written policies that can referred to if challenged on compliance.
• Have full awareness of all of the data held by the organisation. EU resident data within an organisation’s systems must be treated in accordance with GDPR. It’s also important to make use of technological advancements, such as an analytical tool that can quickly flag if they do currently have EU data within their ecosystems. These tools can also help IT teams to determine where the data is stored and when it was created. Fact-based decisions can then be made on the best steps to protect this data.
• Organisations must have plans in place which allow them to go beyond just GDPR compliance. Simply complying with GDPR represents the bare minimum that companies should be striving for to effectively protect customer data. A fully realised GDPR strategy should go beyond the deadline and include developing and auditing readiness plans and forming key partnerships with incident response, insurance and legal teams. 

The countdown to GDPR is on, but that doesn’t mean it’s too late to begin working towards readiness. Organisations can no longer claim ignorance when it comes to data protection and with such steep reputational and financial losses, now is the time for businesses to take action.