On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:
- 61% of businesses hold personal data electronically;
- 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
- The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
- External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
- Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
- Only 13% of businesses require their suppliers to adhere to specific cyber security standards.
The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.
The GDPR provides some examples of measures to consider when thinking about security measures, including pseudonymisation, encryption, and consistent access controls for personal data, as well as a process for regularly testing the effectiveness of all the measures which are implemented, most likely through security scans and audits. In the event of an incident, the GDPR recommends that organisations have the ability to restore availability of and access to data.
Ensuring that appropriate processes are in place and are followed for systems testing and granting employees’ access to appropriate categories of personal data will be just as crucial as having the security technology in place. Meanwhile, it will be vital to have a documented plan in place to cope with data breaches, as organisations will be required to notify supervisory authorities within 72 hours of discovering a breach, and organisations will need to be ready to gather as much information about incidents as they can.
All in all, given the prescriptive nature of the GDPR, meeting the right standards of protection should be seen as a top compliance priority.