GDPR is an ongoing concern and you need to keep with cybersecurity, says Thorsten Kurpjuhn.
Reading time: 5 minutes.
Since the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018, compliance continues to be a challenge and many businesses struggle to ensure they honour and protect the rights of data subjects.
Most efforts have ended with the floods of marketing emails pushing for recipients to opt-in. As a result of the laissez-faire attitudes towards GDPR to this day, we have seen GDPR fines total €56m in its first year, with more than 200,000 investigations, 64,000 of which were upheld.
The total fines issued to date remains dominated by the €50m issued to Google by France’s National Data Protection Commission CNIL.
The approach and reaction to GDPR widely differs across Europe. Countries such as Slovakia and Sweden are yet to issue a single fine, while countries like Poland, Portugal, Spain have fined companies several hundred thousand Euros.
Germany has seen some of the highest GDPR activities, with 42 fines imposed, averaging €16,100 and 58 warnings issued. In comparison, while the Netherlands has issued over 1,000 warnings, only one fine has been issued, which happens to be one of the highest in Europe at €600,000.
Cybercrime is an evolving threat that can cause catastrophic damage.
Whether the level of GDPR fines issued is down to poor compliance in some countries or less-diligent Data Protection Agencies (DPAs) in others remains a grey area.
Meeting the requirements of GDPR is closely linked to cybersecurity. For business in the EU, this means that all members of staff must be trained on proper security protocols when it comes to the storage and use of what could be classed as private information.
However, even if all employees are provided with ongoing cybersecurity awareness training, efforts shouldn’t stop there. So where are businesses going wrong when it comes to GDPR compliance?
Why are business networks so vulnerable?
A business’ network is a prime data highway, which makes it the prime target for cyberattacks. Even if data handling protocols and procedures are GDPR-compliant, these efforts can be rendered worthless as soon as network security is breached.
Strengthening the network to protect the data must be a priority for businesses of any size, for those who want to avoid falling foul of GDPR and possibly facing severe financial penalties.
Companies are already risking fines of up to €20m or 4% of global annual turnover, whichever is higher if they are found in breach. Yet, compliance remains a challenge. Arguably, this is because carrying out an email marketing campaign and updating internal documents is a much easier exercise than taking concrete steps to safeguard the network and protect sensitive information.
Cybercrime is an evolving threat that can cause catastrophic damage. Cybercriminals are using increasingly sophisticated new ways of penetrating IT infrastructure, making it difficult for businesses to defend networks and keep data safe.
The harsh truth is that we cannot make a network completely secure and unbreachable. Thankfully, that is not what GDPR requires of companies.
The legislation simply specifies that businesses must do all that is in their power to ensure data security but at this stage, it appears that most businesses would fail to prove that their network is as secure as it can be.
The importance of prioritising internal security
Legislation, including GDPR, is only as powerful as the enforcement. Moving forwards, Ernst and Young expect European authorities to become more stringent. “We expect European regulators to implement their 2019 announcements and increase their fines,” said EY partner Peter Katko. In the next few months, it will be critical for businesses to step up their game as DPAs begin to ramp up efforts.
While large companies can afford to outsource the task of putting security measurements in place and maintain them to Managed Service Providers (MSPs), smaller businesses often lack the required knowledge and resource. Yet, the penalties for not dedicating enough effort to introduce stronger cybersecurity measures can be a deathly blow to SMBs.
DPAs have the power to not only issue a fine but also impose a temporary or indefinite suspension of processing data. The aim is to ensure that no more data can be compromised while investigations take place, but this ruling on its own could threaten the future of a business, especially when we consider the reputational damage that would ensue.
To reduce the risks, there are practical steps that businesses can take to ensure the corporate network is aligned with GDPR requirements. Above all, it is crucial that they build their networks using the latest cybersecurity standards and network infrastructures rather than relying on a standard domestic router with out-of-the-box anti-virus software.
For example, previously specialist technology, such as Advanced Threat Protection (ATP) is now moving into the mainstream and will allow businesses to monitor and protect their network against cyber threats in real-time. This will be crucial as attacks increase in numbers and improve in sophistication.
Businesses can’t afford to wait anymore. Not only do they need to keep up to date with regulators’ guidance and the enforcement decisions from DPAs, but they must also review existing network infrastructures to reduce the risk of cyberattacks.
Businesses must also prioritise internal cybersecurity awareness and ongoing training to ensure that everybody in the organisation knows how to handle data securely and know what to look out for when it comes to the threats to the network.
GDPR must be at the top of a business’s agenda as cyber threats continue to evolve. If businesses have out of date network security, they run the risk of a serious cyberattack to their network. It’s therefore imperative that businesses look to adopt and continually review security practices to ensure data is securely handled and break the current silence surrounding GDPR.