Posted on : July 31 , 2018
“Citizens in EU spent most of the past couple of months mastering secure spreadsheets and two-factor authentication procedures after GDPR came into force at the end of May”.
The General Data Protection Regulation (GDPR) has radically reshaped how companies can collect, use and store personal information. Companies could face fines of up to 4 per cent of global turnover or €20m, whichever is greater, if they fall to comply with GDPR.
Technology companies, media groups, retailers and banks are among those most targeted because of the vast amounts of information they hold on customers.
People have an expanded right to know how their data is being used and whether it is shared or deleted and the same level of curiosity means that regulators are being overwhelmed with complaints and businesses are increasingly finding themselves subject to data breaches. The UK’s Information Commissioners Office (ICO), has received 1,106 data protection complaints in the three weeks following the GDPR’s introduction, and has reported that data breach notifications, which are mandatory under the GDPR for most data security breaches, have also increased. Companies such as Thomas Cook and Dixons Carphone are amongst the UK companies who have recently disclosed data breaches . This trend has not been limited to the UK. The latest numbers show a significant increase in breach notifications and complaints with Data Protection Commission across Ireland, Czech Republic, Austria. France in particular, has already seen the volume of complaints increase by more than 50% compared to the same period last year.
Security Outcomes and Strategy
GDPR defines data security outcomes but does not prescribe security measures that organizations need to put in place. This scenario presents a unique challenge to organizations as they are required to have a level of security that is ‘appropriate’ to the risks presented by data processing. Businesses need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of data processing.
This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for a business will depend on their own circumstances. So, before deciding what measures are appropriate, organizations need to assess their information risk. They should review the personal data they hold and the way they use it in order to assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised.
Organizations should embrace the change instigated by GDPR and capture the opportunity to enhance their existing security practices and technology infrastructure to improve their overall security posture.
For instance the advanced cyber threat intelligence can equip the organization about the potential and likely threats much in advance before they surface in the normal course of discovery process. Depending on the situation such advance threat intelligence often is sufficient to prevent the attack altogether or in certain scenario help in timely breach response.
It is an important aspect of a new age cyber security strategy that works on prevention and thereby maintains low costs when compared to expensive security solutions popular in marketplace