Almost two years on from the GDPR enforcement date, now is a good time to take stock of the impact the regulation has had on businesses: the steps they’ve taken to ensure compliance, and how many might still be at risk of a data breach that could result in a fine from the Information Commissioner’s Office (ICO).
At the start of the enforcement period, the ICO began wielding its power gradually, with an initial slow trickle of penalties, followed by a brace of major fines levied against British Airways (£183 million) and Marriott International (£99 million) in July 2019. This suggested a ramp up of activity against those organisations in violation of the regulation, but this hasn’t been the case.
According to a GDPR data breach survey from law firm DLA Piper, up to the end of January 2020 almost 161,000 breach notifications had been made to data Supervisory Authorities in the European Economic Area (EEA) since the regulation came into play. This averages out at almost 280 per day. The total amount of fines imposed across the entire EU is relatively low, however, sitting at just €114 million at the time of writing (the BA and Marriott Hotels fines are still pending).
In the UK, more than 22,000 personal data breach notifications have been received, but only one small penalty has been issued – to Doorstep Dispensaree for “careless” storage of patient data in December 2019.
And while they may be eye-watering, the sanctions slapped on BA and Marriott are nowhere near the potential maximum fine the ICO could have imposed, of four per cent of their annual global turnover.
So, how has the advent of GDPR and its enforcement changed the attitudes and security strategies of UK businesses?
Encryption as standard
One significant change has been an increase in the encryption of corporate data. Over a quarter (27 per cent) of respondents to a survey carried out by Apricorn said that lack of encryption had been one of the main causes of a data breach within their organisation. Forty-one per cent had noticed an increase in the implementation of encryption in their organisation since GDPR was enforced.
Two thirds of UK businesses now hardware encrypt all data, whether it’s at rest or in transit – a significant rise on 2018 when only half did so. More than half enforce data encryption on all mobile devices and removable media.
This indicates there’s been a ‘lightbulb moment’ for businesses in terms of the importance of encryption in GDPR compliance and the protection of sensitive data. Not only does Article 32 of GDPR recommend encryption as a method to protect personal data, but Article 34 notes that if a breached organisation "has implemented appropriate technical and organisational protection measures such as encryption" it can avoid the obligation to notify each individual data subject, and the resulting administrative costs.
Increased C-suite attention
GDPR has also driven cybersecurity and data protection up the boardroom agenda, with the C-suite now owning the security budget in 86 per cent of the companies surveyed by Apricorn.
Organisations are allocating just under a third of their IT budget to GDPR compliance; to put this into context, research commissioned by IBM in 2018 set the ideal spend on cybersecurity as a whole as 9.8 to 13.7 per cent of the overall IT budget. This demonstrates how highly businesses are prioritising investment in the protection of personally identifiable information (PII).
The increased recognition of the role of encryption as a key component of the data security strategy, in tandem with the rise in executive attention and budget allocated to GDPR compliance, represent some constructive steps. However, the picture is not entirely positive.
Not walking the talk
In 2018, 98 per cent of businesses that knew GDPR applied to them expected they’d need to assign further budget and resources after achieving compliance, to keep on the right side of the regulation. However, in the latest survey, almost a quarter (24 per cent) of respondents who claimed to be compliant said there was no need to invest any more money or resources in remaining so.
This suggests there’s still a potentially serious ‘awareness gap’ around GDPR. While businesses may have got their house in order, it can’t stop there; cyberthreats are constantly evolving, new technologies are being introduced, and new employees are joining the payroll. All of this introduces additional elements of risk that could compromise compliance. Organisations must be mindful of this – acknowledging GDPR is an ongoing process, not a tick-box exercise – and continue to monitor, manage and maintain their compliance.
Continue to enforce and update all security policies. It might be worth appointing a dedicated GDPR expert or team with the responsibility for reviewing security and data policies on an ongoing basis, against GDPR and other regulations. Policies, processes and procedures must be easy to understand and follow, and explained clearly in any employee documentation.
Invest in employee education. Carry out regular cybersecurity skills training and knowledge refreshment for all staff, including senior executives, and incorporate GDPR awareness training into the onboarding process for new staff. Programmes should cover the specific risks to the data the organisation handles, best practice for preventing exposure, and the consequences of failing to prevent a breach.
Mandate the encryption of all personal and sensitive data. This is a key component of the compliance ‘toolkit’, reducing the probability of a breach and helping to mitigate any financial penalties and obligations that would apply. Encryption protects information when it’s being stored, but also at perhaps its most vulnerable point: when it’s on the move, in an employee’s pocket or in transit to another system or database. It's good practice to encrypt and secure all smartphones, laptops and tablets. Emails too should be encrypted, both incoming and outgoing.
Organisation-wide use of removable storage devices that feature strong hardware encryption provides a practical way for employees who are mobile or remote working to safely move data offline. This mitigates threats such as targeting cloud storage or brute force attacks on software encrypted information. This policy can be enforced by locking down USB ports to accept only corporately approved devices.
The ICO's initially hearty approach to enforcing GDPR has brought home to organisations and consumers alike the value of personal data, and the risks of failing to secure it. It has focused the minds of security teams on the need to ensure they reliably and consistently protect their information assets – and this has led to a sharp rise in end-to-end data encryption.
However, while the number of notifications received proves that the ICO has created an environment in which breaches can be easily reported, and we’ve seen some positive steps towards ensuring compliance, there’s a worrying sense among some businesses that it’s ‘job done’. Currently, there is often a lengthy delay between a notification and any resulting sanction. I suspect we will see the ICO take more decisive action in the near future, which would serve as another wake-up call and a reminder that businesses have the obligation and responsibility to protect all sensitive data they process.
Jon Fielding, managing director EMEA, Apricorn