So, all in all, how are we coping with GDPR just under a year onwards? Ross Brewer, VP & MD EMEA at LogRhythm, explains for Lawyer Monthly.
Companies including Marriott, British Airways and Dixons Carphone are some of the high-profile names that have revealed data breaches impacting hundreds of millions of people, although it’s not yet certain whether all of these will be considered under GDPR.
Before GDPR was implemented, there were only a small number of industry sectors, including banking and telecoms, that faced obligations to report a data breach. Under the new regulations, companies in every industry are required to notify customers and the Information Commissioner’s Office (ICO) of a data breach within 72 hours.
It’s therefore not surprising that a recent study indicates there has been a rise in reported data breaches since the implementation of GDPR, with law firm DLA Piper revealing that 59,000 data breaches have been reported across Europe since May 2018, 10,600 of which were in the UK.
A recent study indicates there has been a rise in reported data breaches since the implementation of GDPR, with law firm DLA Piper revealing that 59,000 data breaches have been reported across Europe since May 2018, 10,600 of which were in the UK.
This report highlights the scope and scale of today’s threat landscape. Nearly 60,000 data breaches in nine months may sound extremely high, but it’s not necessarily surprising. Intelligent, sophisticated and manipulative, today’s hackers are a force to be reckoned with. However, the regulations are not an opportunity for the government to catch out “bad” companies; it is a practice that aims to better protect customers and consumers.
This also doesn’t mean that there has been an increase in cyber security incidents; instead businesses are now obligated to report these incidents and are likely treading carefully. They can no longer sweep them under the carpet in the hope that no one will ever find out – the threat of a €20m fine or 4 per cent of their annual turnover was more than enough for businesses to sit up and take notice.
Awaiting the full force of the regulators
Whilst the number of reported breaches is a clear indicator that the regulations are improving transparency, businesses should not focus too much on the number of fines that have been issued. Only 91 fines have been handed out since the regulations were implemented, however the DLA Piper report also reveals that regulators are managing a backlog of notified breaches. Whilst this number may seem low, it is likely it’s not a true representation of those that will be fined. There is a good chance we will start to see the full force of regulators as they sift their way through existing and future breach notifications.
What’s important is that businesses do not become complacent. The GDPR regulations were enforced to improve data protection and regulators will have no qualms about penalising those that aren’t complying. No company will be immune to an attack, but under GDPR, businesses need to show documented-proof that they are taking steps to ensure damage is mitigated when breaches occur. Those that take the correct steps and invest in the right technology, people and processes will have a much better chance of avoiding strict penalties and suffering a loss of public trust in the future.
What’s important is that businesses do not become complacent. The GDPR regulations were enforced to improve data protection and regulators will have no qualms about penalising those that aren’t complying.
Investing in the right tools is key
One of the biggest concerns when GDPR was enforced was that security teams were swamped with best-practice information about what they need to invest in to comply. And with the short window to report any breaches, speed of detection and response is critical.
It’s incredibly important that businesses are able to identify and mitigate real threats as soon as they appear. We are becoming increasingly aware that it’s now virtually impossible for IT teams to monitor and keep track of what hackers are doing manually; the volume of data generated is simply too high. Only by investing in the right technology that can keep up with the threat landscape effectively, such as NextGen SIEM, User and Entity Behaviour Analytics (UEBA), and Security Orchestration, Automation and Response (SOAR), will businesses be able to detect and mitigate threats as quickly as they need to, and avoid the regulators’ wrath.