What does GDPR mean to security?
Falling victim to a cybercrime is bad for business – no surprises there. Between the disruption, the effects on reputation, the loss of sensitive company data and regulatory fines, the costs can run into hundreds of thousands or even millions. In some cases, the company involved never recovers. With the arrival of GDPR (General Data Protection Regulation) in May 2018, however, there’s potential for those costs to rise even further. With fines that extend into the millions, many companies fear that an attack from a predator like the Wolf might be all it takes to bring them down for good.
New responsibilities and new penalties
What’s the problem with GDPR? After all, isn’t it designed to strengthen the rights of the individual, and give EU subjects more control over how their personal data is used? Well, yes. Delivering a consistent approach to data regulation across the EU – including the UK when the new regulations take effect – it affects every company that stores or processes information on EU subjects, wherever the company is based. Whether it stores and process the data in-house or controls how its handled by a third party, GDPR gives companies new responsibilities to look after personal data.
In theory, there’s nothing too scary about GDPR. It clarifies legal positions about how and why organisations store personal data and gives citizens more control. It gives individuals rights, like the right to know what data an organisation holds on you, or the right to be forgotten – to have all that data deleted permanently. It defines when an organisation needs explicit consent to use personal data, and under what conditions or for what purposes it might be used otherwise. In a world where many people have legitimate concerns about the information companies hold on them, not to mention what’s done with it, GDPR is a useful safeguard.
What worries companies, however, are the new regulations surrounding data breaches. First. companies have new responsibilities to report a data breach, both to the relevant data protection authority (here the ICO) and, in cases where there’s a potential negative impact, the individuals affected. Companies can also be fined – and those fines have risen from the previous maximum of £500,000 to up to €20 million or 4% of the company’s annual turnover. Understandably, many businesses worry that the cumulative effect of a breach and the fine may be enough to put them out of business.
The outlook isn’t actually quite so grim. The ICO has explained that it’s only mandatory to report a breach when it’s likely to result in a risk to people’s rights and freedoms, so not all breaches will need to be reported. If an individual might face discrimination, damage to reputation, financial loss or some other clear disadvantage, they need to know about the breach. No risk? No need to mention it. Nor are organisations required to report comprehensively on the breach while they’re still learning about it themselves. There’s a requirement to report within 72 hours of becoming aware, and without undue delay, but as long as companies can give good, honest information about the scale of the breach and what they’re doing to fix it within that timeframe, that’s enough. More information can be added later on.
Perhaps most importantly, the ICO has said that GDPR fines will be proportionate, and not dished out for every infringement. In many cases data breaches will come under the second tier of penalties, with a maximum fine of €10 million, and even then fines will be used as a last resort. In the words of the commissioner, Elizabeth Denham ‘while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.’ Warnings, reprimands and corrective orders are expected to hit some corporations just as hard.
Why the predators don’t like GDPR
Perhaps more importantly, GDPR can be seen as an opportunity to tighten up data practices, putting strategies and policies in place that enhance security, in effect, slamming the door on the wolves. GDPR requires companies to take steps to ensure the ongoing confidentiality, integrity, availability and resilience of their systems, and to document these measures in order to establish a track record. That means that preparing for GDPR isn’t just good for compliance, but for your data security in general.
Sensible measures should include:
Auditing and risk assessment: The analysis of all the personal data used in the business, and the systems and devices used to store, access and process it. In order to comply with GDPR, you need to know where the data lives, who has access, and where and how it’s used. Having this information, with a proper assessment of the potential risks attached to that data, isn’t just useful for GDPR, but a good starting point for a revised security strategy.
Checks for cloud service partners: Part of GDPR compliance is ensuring that any service partners storing or processing data on your behalf is compliant. Again, this is a good opportunity to review their security, the access they have to your data, and whether this leaves any vulnerabilities open that others might exploit.
Risk assessment of devices: Check everything from your servers and storage infrastructure to laptops, PCs and mobile devices. Are there security flaws you should have dealt with? Are you using old devices that are inherently insecure? Too many businesses overlook printers and multi-function devices, thinking they pose no security risk. In fact, they’re complex computers handling sensitive data both in transit and at rest, and which may be used as a backdoor to the network as a whole. Use GDPR to challenge your assumptions and ensure you leave no stone unturned.
In-depth review: GDPR is a great reason to check your processes and policies and ensure that they promote privacy and data security, and don’t put individuals’ data at risk. What’s more, it’s a chance to rethink access rights, ensuring that only those with a genuine business need to access data have the access rights to do so.
Lock down your data: Too many data breaches are caused by stolen or misused credentials, while too few are prevented by the use of strong encryption. Consider using multi-factor authentication, using tokens or biometric factors, and make sure that data is encrypted so that, even if it leaks, it’s of no use. Any such steps taken to mitigate risk could work in your favour in the event of a breach.
Monitor, log and audit: Close monitoring of systems, logging and auditing can do three things. Firstly, they can help you spot an attack or breach before it’s too late to stop it. Secondly, they can help you work out the size and scope of a breach and take effective measures to repair it. Thirdly, they can help you track the attack and its impacts and prove compliance. Again, what’s good for GDPR also helps make your business more secure.
Have a plan: Organisations need to put policies and procedures in place that make it clear what needs to happen in the event of a breach, and who’s responsible for making it happen. This should cover the thresholds for notification, so it’s clear who needs to be notified and when, and also cover how the breach is registered and the steps IT and security teams can put in place to make any stolen data safe, post-breach. An effective breach response plan demonstrates compliance, but also reduces the time taken to repair a breach and the impact of any breach.
In short, companies can look on GDPR as a burden and a threat, or as a wake-up call; one that can help them tighten their defences and minimise the risks and effects of a breach. Compliance is essential, but it can also help keep the Wolf and his ilk at bay.