Last year, emails and newsletters were flooding into our inboxes following the introduction of the General Data Protection Regulations (GDPR) on 25th May. Most of us took this as an opportunity to manage and unsubscribe from emails which were constantly filling up our inboxes. The main purpose of GDPR was to help reduce the risks of cyberattacks. But, one year on from the introduction of the new GDPR rules, silence has fallen over the topic. Many businesses have now distanced themselves as they are under the assumption GDPR won’t impact them.
As a result of the laissez-faire attitudes towards GDPR to this day, we have seen GDPR fines total €56M in its first year, with more than 200,000 investigations, 64,000 of which were upheld. The total fines issued to date remains dominated by the €50 million issued to Google by France’s National Data Protection Commission CNIL.
The approach and reaction to GDPR widely differ across Europe. Countries such as Slovakia and Sweden are yet to issue a single fine, while countries like Poland, Portugal, Spain have fined companies several hundred thousand Euros. Germany has seen some of the highest GDPR activities, with 42 fines imposed, averaging €16,100 and 58 warnings issued. In comparison, while the Netherlands has issued over 1,000 warnings, only one fine has been issued, which happens to be one of the highest in Europe at €600,000. Whether the level of GDPR fines issued is down to poor compliance in some countries or less-diligent Data Protection Agencies (DPAs) in others remains a grey area.
So where are businesses going wrong when it comes to GDPR compliance?
Why are businesses the prime target for cybercriminals?
A business’ network is a prime data highway, which makes it the prime target for cyberattacks. Even if data handling protocols and procedures are GDPR-compliant, these efforts can be rendered worthless as soon as network security is breached. Strengthening the network to protect the data must be a priority for businesses of any size, for those who want to avoid falling foul of GDPR and possibly facing severe financial penalties.
Companies are already risking fines of up to €20m or 4 per cent of global annual turnover, whichever is higher if they are found in breach. Yet, compliance remains a challenge. Arguably, this is because carrying out an email marketing campaign and updating internal documents is a much easier exercise than taking concrete steps to safeguard the network and protect sensitive information.
Cybercrime is an evolving threat that can cause catastrophic damage. Cybercriminals are using increasingly sophisticated new ways of penetrating IT infrastructure, making it difficult for businesses to defend networks and keep data safe. The harsh truth is that we cannot make a network completely secure and unbreachable. Thankfully, that is not what GDPR requires of companies.
The legislation simply specifies that businesses must do all that is in their power to ensure data security. This means that businesses need a robust and reliable solution that demonstrates their dedication to control access to and protection of their digital assets. At this stage, it appears that most businesses would fail to prove that their network is as secure as it can be.
The importance of robust security
Legislation, including GDPR, is only as powerful as the enforcement. Moving forwards, Ernst and Young expect European authorities to become more stringent. "We expect European regulators to implement their 2019 announcements and increase their fines," said EY partner Peter Katko. In the next few months, it will be critical for businesses to step up their game as DPAs begin to ramp up efforts.
While large companies can afford to outsource the task of putting security measurements in place and maintain them to Managed Service Providers (MSPs), smaller businesses often lack the required knowledge and resource. Yet, the penalties for not dedicating enough effort to introduce stronger cybersecurity measures can be a deathly blow to SMBs.
DPAs have the power to not only issue a fine but also impose a temporary or indefinite suspension of processing data. The aim is to ensure that no more data can be compromised while investigations take place, but this ruling on its own could threaten the future of a business, especially when we consider the reputational damage that would ensue.
To reduce the risks, there are practical steps that small businesses can take to ensure the corporate network is aligned with GDPR requirements. Above all, it is crucial that they build their networks using the latest cybersecurity standards and network infrastructures rather than relying on a standard domestic router with out-of-the-box anti-virus software. It is time to move on and reap the benefits of new tools available.
For example, previously specialist technology, such as Advanced Threat Protection (ATP) is now moving into the mainstream and will allow businesses to monitor and protect their network against cyber threats in real-time. This will be crucial as attacks increase in numbers and improve in sophistication.
Businesses can’t afford to wait anymore. Not only do they need to keep up to date with regulators’ guidance and the enforcement decisions from DPAs, but they must also review existing network infrastructures to reduce the risk of cyberattacks. Businesses must also prioritise internal cybersecurity awareness and education to ensure that everybody in the organisation knows how to handle data securely and know what to look out for when it comes to the threats to the network.
Whilst the uncertainty about the legal implications of GDPR still prevails and businesses have fallen silent over the topic, it’s important that we break the silence and bring GDPR back to the top of the business agenda. Data protection is paramount and the consequences of failing to recognise this can and will be damaging.
Thorsten Kurpjuhn, European Market Development Manager, Zyxel