Yet the past 12 months have, if anything, seen an escalation in reported breaches, fines, and poor cybersecurity practice. As they move forward, organisations must remember that compliance shouldn’t be treated as an onerous tick-box exercise to keep the regulator off their back. It’s an ongoing process that, if built successfully into the corporate culture, could help drive competitive differentiation and growth in the long term.
Recent reports indicate
that regulator, the Information Commissioner’s Office (ICO), has investigated 11,468 data breach cases between May 2018 and March this year. That’s over 1,100 each month. Separate stats from law firm DLA Piper
put the EU-wide total at 59,000 in the first eight months, including 10,600 reports issued by UK firms. High-profile brands hit during this new regulatory regime include British Airways
— which claimed around 380,000 customers may have had their payment details swiped from a payment page after malware was installed.
If nothing else, GDPR appears to have increased transparency in reporting of breaches. But has it driven improvements in data handling and security itself? It’s probably too early to tell.
But taking accountability for safeguarding customer and employee data is the first step towards effective compliance and building the right kind of organisation-wide culture.
After 12 months of the GDPR, the following is clear:
1) Non-compliance with GDPR requirements brings great financial penalties. However, we are yet to see the level of fines the ICO will impose for data breaches
2) The ICO will prosecute individuals as well as companies. Under the previous data protection regime, a head teacher
, a nurse
, and a doctor’s receptionist
were fined for accessing and using personal data inappropriately
3) All requirements of the legislation are subject to penalties. Organisations across manufacturing, business and finance sectors have been fined for the non-payment of the ICO data protection fee
. Localising GDPR
It’s also worth remembering that GDPR has been written into UK law in the form of the Data Protection Act 2018 (DPA 2018). This means that it’s likely to still apply in the same terms after the UK exits the EU. For example, investigators can request a warrant to search physical premises in the event of a data security incident, and individuals or organisations can be prosecuted for failing to provide information. Destroying or altering any data named in a warrant can also lead to prosecution.
Time for best practices
Although cyber-attacks against organisations are becoming more sophisticated in recent years, many incidents are still caused by basic security failings. According to Verizon, 60 million personal records exposed over the past year were down to misconfigured cloud storage systems, for example.
So it is now more relevant than ever that businesses get the basic’s right.
Within Optomany, security is seen as a business enabler, baked into everything we do from the outset. This “security by design” approach is a core principle of the GDPR and provides a secure, compliant foundation for everything we do. We urge all businesses to follow suit.
As a payments leader dealing with large volumes of highly regulated data and coupled with the above approach, Optomany is focused on leading by example in data security and privacy. All our solutions are developed to reduce the risk and compliance burden on merchants and partners, leaving them to focus on their core business.