Data security and GDPR: how to mitigate both cybercrime and legal risk?
This post was originally published on the Novacom blog.
Sony Pictures, Experian, Anthem Insurance, Harland Payment Systems, T.J. Maxx, JPMorgan Chase; all of these companies have either been hacked and had data stolen, or found themselves victim of fraud that has caused a release of sensitive data to the world.
Cybercrime is (still) an inevitable event to an extent, as criminality in cyberspace is on the rise with a 49% increase in data breaches (2014) and a 78% increase in the number of data records stolen or lost compared with the previous year.
The geography of cybercrime
The largest number of data breaches were in North America (76%), followed by Europe (12%), and the Asia-Pacific region (8%).
The UK had the highest number of breaches in Europe with 117 incidents, followed by France (9), Ireland (8), Germany (7), Netherlands (6), Belgium (5), and Russia and Italy, with 3 incidents each.
What is General Data Protection Regulation?
The European Union (EU) plan is to merge current data protection regulations within one single EU law, referred to as the General Data Protection Regulation (GDPR).
The thinking is that the current EU Data Protection Directive 95/46/EC, which is about twenty years old, does not cover critical issues such as trans-national operation and developments such as social networks and cloud computing in a meaningful way. Adoption is planned for 2017.
How does this affect business?
This new EU-wide regulation will transcend any local data privacy laws and will be designed to provide a more comprehensive and wide-ranging legal framework which will, by its nature deliver much tougher personal data privacy legislation.
GDPR will mean EU companies will need to significantly enhance data management and security control to fully comply, and in the event of negligent data management protocol very stringent fines, ranging between 5% and 10% of global gross revenue may be applied.
What about external vendors?
While this EU-wide regulation relates to data owners - an enterprise legally responsible for the data - laws relating to data management, processing and security will also impact on the enterprise if there are infringements by third party vendors, such as digital marketing agencies.
This means that enterprises must be certain that such third party vendors have the required legal knowledge and are competent in current EU Data Protection Directive 95/46/EC as well as upcoming GDPR. The most robust proof of this is ISO 9001 and ISO 27001 certification.
Where to seek assistance
Novacom has these certifications so I was surprised to learn that according to International Organization for Standardisation (ISO) 2014 statistics, only 0.06% of UK organisations (that covers everything from government departments to banks) were ISO 27001 certified.
And it's even less prevalent in the US, one of the EU’s top trading partners, at 0.00298% of all registered companies. Given that trade often means data transfer - transferring data to a potentially unregulated destination could prove to have very serious legal and financial impacts on EU enterprises.
The current EU Data Protection Directive 95/46/EC legislation is generally little understood in many areas of the EU, and in many respects quite poorly enforced. But with the recent growing number of data breaches, and GDPR coming on stream, this situation will change quickly.
GDPR and the growing cybercrime statistics mean enterprises must start taking data security more seriously and mitigate security risk much more effectively. This means not only auditing current internal procedures, but now ensuring third party vendors offer the same high level of security.
 Computer Weekly