Cyber security specialist issues warning over 2018 regulations

Business owners are being warned to be prepared for the biggest shake up of data protection law in 20 years when new regulations come into force in 2018.

The General Data Protection Regulation (GDPR) is a landmark regulation to enforce data privacy and protection.

It also promises to reshape radically how companies handle and obtain personal data. With less than 18 months to go until it becomes law (on May 25, 2018) preparing an organisation for GDPR is key, says Manchester-based cyber security specialist CYFOR.

Among the changes the GDPR gives rise to is an expansion of the requirements for storing personal information, enhanced information governance and more stringent sanctions for organisations that suffer a data breach.

This is now relevant more than ever for businesses due to the growth in technological services, such as cloud management, which involves sensitive data.

It introduces significant new strictures upon organisations, including:
•    Built in privacy to systems by default
•    Conduct regular privacy impact assessments
•    Implementation of stronger consent mechanisms
•    Stringent procedures for reporting data breaches
•    Document use of personal data in more extensive detail

CYFOR technical director Keith Cottenden told TheBusinessDesk: “Businesses will have to start putting plans in place to ensure they meet the 2018 implementation deadline and those that do not comply will face fines far larger than what European data protection authorities currently hand out.”

The new regulations will affect every business located in the EU or trading with EU businesses which collects, stores or uses personal information, enhancing individuals’ data protection rights and introduces a greater obligation for businesses to be transparent in how they use personal data.

Businesses will be required to have appropriate policies and procedures in place to ensure that personal data is collected and lawfully processed.  They will also need procedures to deal with Data Subject Access Requests (requests from individuals to provide details of all data held about them) and data breaches.

Cottenden continued: “The bottom line is that businesses must not ignore the GDPR. Proactive steps must be taken to reduce the risk of a data breach. Failure to do so will result in extensive fines as well as serious reputational damage.”

Currently, the maximum penalty an organisation can receive for failing to adequately protect their data is £500,000, imposed by The UK Information Commissioner’s Office (ICO).

Under the GDPR, a business that fails to comply with new regulations and suffers a data breach can be fined up to 4% of global turnover or €20m (£16.9m) – whichever is greater.

The wide-ranging requirements of GDPR, coupled with the UK’s government’s commitment to apply the regulation post-Brexit, means that the GDPR is a pressing issue that must be taken seriously, right up to board level.

The ICO’s record fine of £400,000 imposed on TalkTalk last year could prove to be miniscule, when the regulations change.

Cottenden added: “GDPR is a key component of cyber security, ensuring the protection of private and sensitive data.

“A major principle within the GDPR highlights the importance of having appropriate cyber security measures in place to ensure that data is processed in a manner that provides protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.”

According to the regulation, steps to enforce network and information security could include preventing unauthorised access to electronic communications networks and malicious code distribution, including stopping ‘denial of service’ cyber-attacks and damage to computer and electronic communication systems.

Another key security aspect of the GDPR is ensuring that appropriate procedures are in place to detect and investigate personal data breaches as well as report them to a relevant authority within 72 hours.

The recent spate of high profile cyber-attack has highlighted the need for businesses to enforce robust measures to protect themselves from cyber criminals.

Companies that don’t adequately prepare themselves not only face a risk to their reputation and financial assets, but also expose themselves to fines, prosecution or civil proceedings if they are found to have been unprepared for the new regulation.

CYFOR provides a comprehensive Cyber Security Audit and Vulnerability Assessment designed to expose the weaknesses businesses’ IT infrastructure. It says it can then remediate these security gaps, significantly reducing the risk of a data breach and any potential fines.