Is your business doing all it can to be GDPR compliant?
The introduction of EU General Data Protection Regulation (GDPR) in 2016 and the Data Protection Act (DPA) in 2018 impacted businesses worldwide. The legislation changed the way we collect, manage, use, and most importantly protect data in its many forms and continues as a major area of consideration for any business regardless for size or industry.
We highlighted in earlier updates that Cyber Security continues to evolve with particular ransomware threats worldwide. Impact on businesses in more recent years may have shifted focus but the need for robust cyber security within any organisation remains as important as ever.
Ransomware attacks can be costly to any business not only for the damage they cause both in financial terms but also reputation. But such situations can incur additional penalties.
Any such data breach must be declared immediately and would be subject to formal investigation. If investigations determine such data breaches were in fact preventable, or the business is considered to not have appropriate security measures and procedures in place, financial penalties will apply.
Who is affected by GDPR legislation?
GDPR applies to any size business and any business is at risk to data breaches – both virtually (cyber security) and in real life settings (data filing and storage). The rules for a global multi-national corporation through to single person owned enterprise remain the same as do the potential penalties. Investigation and ruling is set by the Information Commissioner’s Office (ICO).
What are the GDPR penalties?
There are two types of penalties depending on both the nature of the breach and surrounding business activity such as administrative requirements. These are referred to as higher maximum and standard maximum.
What is the higher maximum?
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.
What is the standard maximum?
If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
Learn by example
A recent ICO ruling on a legal firm in London, UK took place following a data breach as it was deemed that the firm had “…failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.”
The firm consisting of 12 staff, became aware of a data breach in August 2020. However, the investigation found that the organisation had failed to implement appropriate actions to operate in compliance to GDPR since its inception in May 2018. The only form of action that had taken place ahead of the investigation was discovery of the breach and notifying the appropriate authorities.
Sadly, the breach appeared to be result of a ransomware attack which had been missed resulting in confidential court documents including some ongoing criminal proceedings – with 60 case bundles subsequently published on the “dark web” featuring the personal information of multiple individuals.
Since the discovery, the solicitors were impacted in various ways including:
- Substantial financial and resource costs to investigate and rectify the circumstances leading to the breach
- Subsequent costs resulting from the breach and the identified individuals affected
- Time lost to the business due to system shutdown
- Damaged reputation of the business following the breach and necessary actions
- Investment time and financial commitment to implement data security software, process, and policies to adhere to GDPR compliance requirements and preventative measures
In this instance, the monetary penalty applied by the IOC was £98,000. This is in addition to the substantial costs outlined above.
How could this have been avoided?
With the growing threats to cyber security along with legislation impacts of GDPR and data protection, it is more important than ever to ensure your organisation regardless of size to have plans and processes in place.
Situations may arise, however the key example from the law firm ruling highlights that insufficient or limited action can have much broader, significant consequences.
Through investment and consideration, there are many ways to ensure your business is better protected. Here are key actions to consider for any size business:
- Invest in a cyber security solution. Cyber Security software should be the very minimum for any business from sole trader, through to corporation. Not only will it help protect your IT equipment from threats to support day-to-day use, but it can also be proof of actions to keep any data you have safe and help ensure it remains that way. Sophos is a recognised world leader in IT security and a beneficial investment.
- Policies and processes. To ensure safety is maintained, organise clear policies and processes for all within your organisation. Ensure all staff are trained and fully understand these and expectations of them to aid data security. This should apply for both in-office and remote working environments.
- Assign a Data Controller. It is expected that organisations will appoint a point of contact for data information. This is both to monitor how your data is managed and compliance, but also as a point of contact for any formal data requests such as requesting removal from a mailing list.
- Cyber Essentials certification. Recognised as best practice for a robust approach to data security. Certification is obtained following assessment which will also identify how best to ensure your business is compliant with the best data protection approach.
- Use of Multi-Factor Authentication (MFA). MFA or 2-factor authentication has become increasing applied as an additional safety precaution for online system access. This beneficial tool can be a must needed barrier from threats as cyber criminals become more adapt at cracking login credentials.
Information Solutions consultation service can be a much needed first step to ensure you have what is needed in place to ensure your GDPR compliance and data security. Speak to the team today and take the first step to a more secure future.