Cybercrime is a growing concern for digital businesses. The consequences of non-compliance with the General Data Protection Regulation (GDPR), Europe’s new data privacy and security law, are also increasingly worrying.
GDPR was implemented in May 2018 with the intention of protecting the rights and freedoms of internet users. As a bare minimum, companies are obligated to get consent from their clients to collect, store and use personal data.
In the early days, the general guidance was to “update your ongoing privacy policies to be GDPR compliant.” The only solution for many companies has been to explain how they collect and store data, what data they collect and how personal data will be used.
Three years on and the implications of GDPR are much more critical for businesses. GDPR serves as a catalyst for governing bodies to prosecute companies that do not implement sufficient cybersecurity measures.
Since GDPR came into effect, more than £245.3 million (about $332.4 million) in fines have been issued. And that’s only among European countries. GDPR has a worldwide reach.
GDPR Fines for Data Breaches
Cybersecurity falls into ‘Level 1’ of the GDPR. This level applies to the failure of implementing measures to prevent a data breach including a Data Protection Impact Assessment.
Article 35.7(d) states a DPIA should contain at least: “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Level 1 penalties are calculated at 2% of a companies global turnover, or €10m (or $12 million), whichever is the greater.
When a company suffers a cybersecurity attack, any data breach must be reported to the relevant supervisory authority within 72 hours. Affected customers must also be promptly informed.
Cybercrime Requires More Than an IT Response
The number of GDPR penalties dished out for data breaches rose significantly in 2019-2020. Cybersecurity experts expect the rise to continue due to the lack of companies failing to implement sufficient defences against cybercrime.
CNBC reports 60% of small businesses that suffer a data breach go out of business within six months. The average cost of a data breach is around $200,000. If the GDPR penalty doesn’t financially cripple an enterprise, the customer exodus will.
To monitor security and operations that is GDPR compliant, businesses are obliged to focus on preventing and avoiding security and privacy breaches.
A report published by Deloitte underscores that cybersecurity is not only an IT problem. Most data breaches are caused by the lack of awareness among employees.
Cybersecurity experts claim that 99% of cyber attacks rely on humans to click on a link or download an attachment embedded with malicious malware. The other 1% is when cybercriminals exploit a vulnerability in IT infrastructure.
Who Is Responsible for Data Breaches?
The number of data breaches against leading firms, large and small, is a testament that no security infrastructure is impenetrable. The spate of Microsoft fiascos earlier this year underscores the threat posed by cybercriminals.
However, Microsoft will not be held responsible for data breaches that involve flaws in its technology. Companies that fail to update Windows-based computer systems with the latest version are held accountable. Since updates can cause downtime, some businesses do not update the software immediately.
The law surrounding current data breaches are cloudy (pardon the pun). However, it is clear that “data owners are held liable in the event of a data breach.
“Data owners are held responsible for data security. For this reason, they are usually considered liable for breaches. Of course, the data owner may be able to argue that they did everything required of them to ensure the security of the data.”
A data owner is a business that provides service or products to customers. A data holder is the third-party cloud service; i.e Microsoft.
Does this leave businesses without a defence against GDPR?
Recital 51 of GDPR “Protecting sensitive personal data” is not clear. As a bare minimum, firms are obliged to continuously monitor and respond to notifications and issues that could lead to a data breach. If a business can demonstrate they have met every possible compliance detail, there could be a defense.
James Kirby is an experienced IT solutions provider and Managing Director of MicroPro in London. When he is not keeping IT networks running seamlessly he can be found repairing and driving Tanks in Kent.
© YFS Magazine. All Rights Reserved. Copying prohibited. All material is protected by U.S. and international copyright laws. Unauthorized reproduction or distribution of this material is prohibited. Sharing of this material under Attribution-NonCommercial-NoDerivatives 4.0 International terms, listed here, is permitted.