No one can forget the whirlwind of panic in the run-up to the GDPR deadline. Watching the world’s largest organisations scrambling to ensure their data and processes complied was fascinating. However, what about compliance standards now? In the first half of 2019, there were reports of over 4,056 data security incidents.
Data breaches are still commonplace
According to the Verizon 2019 Data Breach Investigations Report:
- There were 1,094 incidents with 155 confirmed data disclosures in the IT sector, 448 in the healthcare sector and 383 in the government and legal sectors.
- In 2018, 69% of attacks came from outsiders, 39% from organised criminal groups, and 34% from the inside
- There is a 40% increase in incidents from last year
- The average losses from breaches have soared by 61%, from roughly £184,000 to around £296,000
How much does a breach cost an organisation?
Just this quarter, the Information’s Commissioner’s Office (ICO) doled out the following fines for data misuse:
- Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 in July 2018 for revealing identities of abuse victims in a mass email
- Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, was fined £140,000 in August 2018 for illegally collecting and selling the personal information of over one million people
- Equifax Ltd was fined £500,000 in September 2018 for failing to protect the personal information of up to 15 million UK citizens during a cyberattack in 2017
- BUPA Insurance Services was fined £175,000 in September 2018 for failing to have effective security measures in place to protect customers’ personal information
Brexit and GDPR
Brexit is almost here. Where once GDPR was the main talking point, now the focus is shifting. How will organisations maintain compliance during the transfer of personal data across Europe, post-Brexit? Will Brexit make UK companies even more vulnerable?
A need for harmonisation
The UK was a significant contributor to the establishment and the implementation of the 2018 Data Protection Act (DPA). Whether we land a hard, soft, or no deal, GDPR, as chartered in the DPA, will still primarily apply once the UK leaves the EU. Day-to-day requirements might not change a great deal, but UK companies receiving personal data transfers from the EU, including data centres, must take the necessary preparations.
Steps your organisation can take to prepare for GDPR post-Brexit
Post-Brexit will see additional obstacles and layers of compliance. UK organisations will have to renegotiate every cybersecurity relationship. Businesses will no longer be able to do the regulatory one-stop-shop either once the UK leaves the EU.
The ICO is recommending companies plan for a No Deal outcome. As data will flow freely from the UK to the European Economic Area (EEA), the ICO is also stressing that UK organisations may need to assist EU partners in ensuring compliance for both parties.
Standard contractual clauses, or ‘model clauses’, provide small and medium-sized businesses with an extra safeguard. They ensure that UK and EEA parties are complying with GDPR in the absence of a negotiated withdrawal agreement. Any company not already preparing to ensure that the transfer of EU citizens’ data to the UK is fully compliant with privacy laws had better start soon. These clauses will need to be embedded in contracts ongoing, or added as an appendix in existing ones, to protect both parties.
Preparing your organisation with training
With or without a deal, post-Brexit Britain is going to be a cybersecurity nightmare. To stand a fighting chance, we need to work collaboratively. Together, with strict compliance standards and effective training in place, we can move forward safely and successfully. We must all become experts.
Putting the right skills in the hands of the people that need them the most will reduce – perhaps even eliminate – your risk of a cyberattack or mistake occurring. Educating your employees is the first crucial step in the war against cybercrime. Covering more than 500 risk topics across 32 languages, our full suite of customisable compliance training works with organisations to mitigate risk and enable employees to make the right decisions.
Andrew (Andy) Nickolls is the Director for Compliance Solutions at Skillsoft EMEA.