Cybercrime just keeps on growing. According to the latest figures from the UK Office for National Statistics, there were 4.7 million incidents of fraud and computer misuse against businesses in the year to 2017. Some of these probably involved personal data – watch that number grow!
The reason is the General Data Protection Regulation (GDPR), which may turn out to be a bonanza for cyber criminals. The GDPR was designed by the EU to help individuals get some control back over their data. Under this law, which comes into effect on 25 May 2018, companies are expected to protect personal data, and fines for breaches can run up to 20 million euros or four percent of a company’s global annual turnover.
Fine, that’s the law, but it’s hard to imagine that, even with huge investments in security measures, companies will make a significant dent in those cybercrime numbers overnight. What’s more likely is that cyber criminals will tweak their business model to exploit the fear of GDPR non-compliance!
Consider the situation – a business gets hacked and the cyber criminals go straight for personal account details. However, whereas in the past they might have sold these for pennies, now they set their sights much higher. They get in touch with the business and make it an offer that it can’t refuse: pay a ransom or we will put you in breach of the GDPR.
What’s more likely is that cyber criminals will tweak their business model to exploit the fear of GDPR non-compliance!
Under the GDPR, the business has 72 hours to notify the supervisory authorities and all the affected individuals. With the clock ticking, how would you react?
However, before you answer that question, consider what the responsibilities of companies under the GDPR are exactly. These are enshrined in six principles of data processing. As the UK Information Commissioner’s Office (ICO) reports: “Data controllers shall be responsible for, and be able to demonstrate, compliance with these principles.”
The ICO goes on to explain how businesses can demonstrate compliance. In relation to the security of the personal data, it advises organisations to implement: (i) appropriate technical and organisational measures, such as staff training, internal audits of processing activities and reviews of internal HR policies; and (ii) data protection by design and default, with measures such as data minimisation, pseudonymisation, and creating and improving security features on an on-going basis.
So, in our cyber-blackmail scenario, it’s not the theft of the data that triggers the breach, but the lack of technical and organisational measures, and negligence in reporting the breach of personal data to the supervisory authorities and affected persons. A company that has implemented the necessary measures will not only improve its defence against cyber criminals, but also its legal defence against GDPR fines if it does get hacked and its personal data stolen.
So, what are these “technical and organisational measures” that companies can implement to defend themselves against GDPR breaches? The answer comes in two dimensions.
The first is the technical dimension, which encompasses the hardware and software systems offered by information security vendors and consultants, and the legal contracts, standard clause processor agreements etc that are proving to be a bonanza for legal firms.
The second is the organisational dimension, which at Skillcast we term the people dimension. This encompasses staff training, competency mapping, internal audits and staff decision support.
At Skillcast, we’ve been helping hundreds of businesses prepare for the GDPR, and for most companies, it’s this people dimension that is most important in this preparation. Outside the world of internet giants such as Google and Facebook, it’s not automated data processing, algorithms or data stores that present the information security risk, but small incidents such as a lost mobile, an incorrectly addressed email or an injudicious social media post.
The people dimension is not just about putting staff through a quick GDPR course, although training is certainly a critical element. Instead it requires a holistic approach – GDPR compliance will be a journey for most companies, rather than a one-off remediation exercise.
This journey should begin with internal audits of processing activities – as recommended by the ICO. These audits should be conducted using 360-degree assessments that capture the perspective of the employees at the front line of data processing as well as the top managers.
This should be complemented by mapping the knowledge, competence and behavioural instincts of employees across the organisation and, where possible, third parties, including temporary workers and consultants.
The obvious next step is staff training. This should include firm-wide awareness and knowledge building at regular intervals, additional training for managers and specialist training for certain roles, such as those who deal with consent, Subject Access Requests and international transfers.
However, training in itself is not enough. The best practice is evolving to include just-in-time resources and decision-support systems, preferably accessible via mobiles so that your staff can use them wherever they are. These can help employees make the right decisions when identifying special categories of data, dealing with the rights of individuals, notifying about personal data breaches etc.
Of course, data breaches will still occur post-GDPR. Hackers will find ways to outsmart security systems. Employees will make mistakes – lose/erase/corrupt data. Some companies might even face ransom demands from cyber criminals. However, the businesses that embrace the people dimension of the GDPR and are able to evidence that they did and continue to do everything they can to be compliant will be better protected against potentially ruinous fines and sanctions.