That said, despite the number of breaches last year, so far, regulators have yet to bring GDPR fines to bear on an organisation that was breached since May 25. Typical investigations into major breaches tend to take about a year, so it's a safe bet that any major GDPR penalties likely won't be seen until later this year.
This does not mean that businesses should rest on their laurels, however. The number of data breach reports filed since GDPR went into effect hit 8,000 in the U.K. in 2018. Eighty-two people filed reports to the Information Commissioner’s Office (ICO) about potentially undisclosed breaches in the three months to the end of August, compared with 31 reports in the three months to the end of April, according to figures compiled by law firm RPC after a freedom of information request. With that in mind, it’s more important than ever that businesses ensure their houses are in order.
Worryingly though, half of the organisations in our survey admitted they lacked the understanding of the data they collected and processed, making it their number one concern relating to non-compliance, and a quarter came forward and said they didn’t understand the new responsibilities that came with GDPR.
Whilst GDPR brings with it a host of tick boxes for compliance, businesses should still be answering the same questions: what are the security implications, and how do we manage them? The overarching response should always be to revert to basic security best practice.
In the rush to meet industry expectations or compliance cut-off dates, organisations may skip some foundational steps critical to ensuring long-term data security, but the biggest threats to enterprise data assets are the same ones we were worried about last year – and even a decade ago. Ultimately, our goals remain unchanged: data protection, compliance, breach avoidance, and – worst case scenario – incident response and remediation.
Many security breaches are still down to something as simple as choosing a weak password, using non-encrypted portable devices/hardware, clicking on a link from an untrusted source, a lack of software and systems updates or poor employee education. Even the O2 network outage could have been avoided if they had correct measures in place to ensure employees updated the software correctly, and the Ticketmaster breach of customer data announced just one month after GDPR came into full effect – again, preventable.
Cyber-attacks and data breaches are more prevalent and the consequences to organisations are higher than ever. Whether investing in training for employees, or deploying new solutions to address the new risks, to avoid putting data at risk and ensure compliance this year, and every year, organisations should consider the following basic security principles:
·Organisations should review their existing security processes to better understand their current security posture against compliance guidelines and best practices, identifying the gaps and putting a plan in place to address these areas.
·Education and awareness programmes need to be created and run for all staff, temporary and permanent, and these must be regularly updated and tested.
·Employees should be clearly informed of the necessary password policies which should also be enforced at a technical level wherever possible.
·The encryption of data should be a key element of any security strategy. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data.
·Data should be encrypted at rest and in transit, especially for removable storage devices.
·Data taken beyond the corporate network should be done so on corporately approved, mobile storage devices featuring strong encryption, and non-sanctioned devices should be prohibited from working by end point control solutions.
·Organisations should also have a well-defined patching process in place to ensure all software and systems are updated regularly.
By reverting to the basics, businesses will be in good stead for meeting compliance regulations. They need not only focus on the fines they might receive, but how GDPR compliance could be a driver of increased customer trust and overall business growth. Forty four percent in our survey agreed that GDPR was a welcome opportunity to overhaul their organisation’s data handling and security processes and ninety eight percent of respondents recognised that they need to continue investment in policy, people and technology post the deadline. The task now is to maintain compliance and ensure best practice remains a priority. Achieving a sustainable security posture is an ongoing exercise.