The Ins and Outs of GDPR

UK firms who wish to avoid fines up to €20 million or four per cent of turnover (whichever is greater) now have only eight months to comply with the European Union (EU)’s General Data Protection Regulation (GDPR), which comes into force in May 2018. The UK government also recently announced a new ruling designed to protect consumers’ digital rights even further.

Online organizations which store any kind of customer details will be legally obliged to enable consumers to have their data removed should they request it. The ‘right to be forgotten’ clause means having to provide a clearly identifiable route for members of the public to make contact and make their request known and acted upon. A separate UK ruling will extend the consumer rights enshrined in GDPR slightly by requiring social media companies to delete all of a person’s posts from before they were under 18, should they request it.

The GDPR, which comes into force in the UK on May 25, will mean that customer consent must be given ‘unambiguously’ through an ‘opt out’ mechanism. Online organizations will be obliged to show that consumers’ consent to use personal data of any kind was given freely and that they have been presented with clear information enabling a full understanding of the marketing purposes for which their data is to be used and that they can easily choose to opt out. According to industry forecasts, almost half the UK’s digital consumers are likely to actively take advantage of their new rights under EU law.

In addition to giving consumers control of their personal data, GDPR will require companies to take truly effective steps to safeguard the data with which their customers have entrusted them. Future cybersecurity breaches such as those that occurred at JD Wetherspoon, where 656,723 customer email addresses, phone numbers and dates of birth were stolen by hackers, and TalkTalk could soon generate the massive fines soon to be imposed by the EU.

In TalkTalk’s case, the telecoms provider was fined £400,000 for failing to safeguard around 150,000 customers’ details. TalkTalk has also been fined an additional £100,000 by the UK Information Commissioner’s Office (ICO) in a separate incident which placed 21,000 customers’ personal details at risk.

Whereas the ICO can only fine companies a maximum of £500,000 for serious breaches of data protection obligations, as from May the EU’s GDPR will have the power to penalize a company of Talk Talk’s size to the tune of around £74 million for a serious data breach. In the eyes of Brussels, the onus is totally on the organization to safeguard the customer data it has garnered.

There is already mounting evidence that many companies could easily find themselves paying these kind of penalties next year. According to the 2017 Thales Data Threat Report: "93% of respondents will use sensitive data in an advanced technology (defined as cloud, SaaS, big data, IoT and containers) environments this year. A majority of those respondents (63%) also believe their organisations are deploying these technologies ahead of having appropriate data security solutions in place." PwC, predicts that over half of British businesses are expected to incur a cyber-attack by 2018.

Even those who do have standard safeguards already in place may have to drastically update and extend their cybersecurity. Unfortunately, there is no magic bullet that ensures effective enough cybersecurity to satisfy the demands of the EU. Companies will, of course, be expected to patch known vulnerabilities and to download the latest anti-virus software.

This will do little to avoid the increasingly sophisticated cyber-threats that have emerged over the last six-to-twelve months. These include a scam using a “lure” document masquerading as a curriculum vitae accompanying a harmless email; the weaponized Word document contains a template reference that, when the document is loaded, injects embedded malicious payloads into the corporate data network in order to install ransomware or steal data.

Threat intelligence in the form of knowledge of the latest attack vectors enables companies to prepare appropriate defenses. Also using a managed detection response service provider to detect sophisticated threats and attacks that may have gone under the company’s ordinary defenses is also now being seen as a necessary safeguard.

The GDPR time bomb is already ticking for companies who do business online and have not sufficiently prepared themselves for May 25.

What’s Hot on Infosecurity Magazine?