The General Data Protection Regulation comes into force across the EU from today and is the most important change in data privacy regulation in 20 years. The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.
The regulation applies to any 'personally identifiable information' relating to EU citizens, including names, ID number, location data, contact data and online identity. GDPR rules apply to any company or organisation which holds personal data in either automated or manual filing systems.
The Regulation defines a 'personal data breach' very widely, as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. It could also result where personal data has been inappropriately accessed due to a lack of appropriate internal controls.
A breach MUST be reported!
A notifiable breach has to be reported to the relevant supervisory authority, the ICO in the UK, within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to €10 million or 2% of a company's global turnover.
Given the recent increase in impact and severity of cyber attacks and the new threat from the GDPR, one might assume that companies are raising their game accordingly and shoring up their cyber defences.
But according to PwC's Global State of Information Security Survey nearly one in five UK organisations have still not prepared for a cyber attack. Less than half of them had conducted penetration tests to examine their cyber defences.
The report also found that more than a quarter of UK organisations were not aware of how many cyber attacks they experienced in the past year, while a third did not know how the incidents happened.
Businesses who have not planned to properly comply with the data handling principles of the GDPR and the consequences of data breaches are risking their business. This is why Crises Control has launched its regulatory compliance solution to help all organisations with GDPR compliance issues.
We have also produced a free white paper Keep Your Business Safe from Regulatory Fines that is available for download.
We have also hosted a webinar, for the BCI Business Continuity Awareness Week 2018, on the subject of business resilience and the threat from data breaches and the GDPR. You can access a recording of the webinar here.