GDPR is one of the most over-used terms of the year, even outranking Beyoncé in Google search interest.
It’s true that GDPR comes with its challenges, with privacy breaches now meaning potential fines of up to four per cent of global turnover.
However, it also marks a positive step towards the business community taking the privacy of their customers more seriously and gaining greater value from data held.
But what does data protection look like now the GDPR deadline has passed and how can businesses use this shake-up to their advantage?
Look on the bright side
A recent study found GDPR would make up to 75 per cent of customer data held by UK companies ‘useless’. Database depletions on this scale may appear disastrous, but for years, businesses have wasted time and money communicating to people who have never (and are never going to) engage with their brand.
The truth is, there will always be winners and losers in every situation where regulatory changes are involved. To be a winner, you must be open to the opportunities GDPR offers to refresh key business functions and gain advantage over your competitors.
A ‘data detox’ is well overdue, leaving only quality leads and redefining customer relationship management. This, in turn, will simplify compliance with Data Subject Access Requests and reduce infrastructure costs for things like data storage, back-ups and security.
The public has never been so conscious of data protection rights or held such high expectations of companies they engage with. Proving you take their privacy and security seriously will enable you to build trust with both the converted and more sceptical customers.
Take ownership
Previously, data protection legislation exclusively focused on the company ‘owning’ the data, not the actions of third parties with access.
However, under GDPR, many controllers worry they may face unlimited liability for a breach experienced by data processors on the grounds they failed to exercise due diligence.
An obvious example is Facebook’s role in the Cambridge Analytica scandal. The ICO came down hard, fining the platform £500,000, the maximum it could give under the old data protection law.
Facebook got off fairly lightly. If the breach had occurred post May 25th, they could’ve paid a much heftier price: four per cent of its $40 billion 2017 global revenue is an eye-watering $1.6 billion fine.
To protect against liability damages and minimise risk, you need to map where the data you’re accountable for lies along the supply chain and how your partners are using it.
For both old and new contracts, check you undertake a level of diligence appropriate to the risk that supplier presents to you. Data processors should notify you of a breach and provide the necessary support to respond effectively.
It’s essential to clearly outline what data is being shared, what it can be used for, how long it can be kept and what will happen after the contract ends. This will help you inform the ICO of the compliance steps you’ve taken if the worst does happen.
A (cultural) shock to the system
There’s a lot of stress around GDPR compliance, it’s likely execs will continue to toss and turn in their beds for months to come.
When security breaches make the headlines, they tend to be about nefarious actors in other countries or the calamitous failure of technology. However, according to Kaspersky, in 45 percent of enterprises workers hide security incidents and uninformed or careless staff are one of the top causes of breaches, second only to malware.
The reality is no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside your company.
Presenting new business practices and security controls to support data privacy can be tough. If users perceive the changes made as too disruptive and their managers are not actively supporting them, the danger is staff will actively shirk from using them.
However, if your security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will soon be clear.
A standardised set of operating controls helps maintain compliance. Add best practices from other organisations and assess compliance on a quarterly basis. Make sure all employees, those working on-site and remotely, are informed of any updated protocols to keep defences strong and promote accountability.
Regular training workshops hosted by experts are a must; try IAPP courses which can be taken online or in person. It’s good practice to test how well your employees can apply their cyber security knowledge.
There’s also the issue of remaining on top of the evolving cyber threat landscape as the GDPR requires you to maintain a level of security appropriate to the risk. At one end, attacks are evolving to be more intelligent, at the other, techniques such as social engineering continue to exploit people’s trusting natures to obtain confidential information voluntarily.
The resurgence of email phishing for users’ credentials is a technique requiring little skill from attackers.
Business email compromise (BEC) attacks many organisations are experiencing today can be attributed to similar threat actors to those who carried out the 419 scams / Advance-Fee frauds common ten years ago. These are rarely advanced or targeted attacks, yet they generate vast revenues – the FBI recently reported global losses of more than $12.5 billion since October 2013.
GDPR is a real chance for businesses to future-proof their processes, monetise data fairly and build loyal relationships with suppliers, partners and customers.
Mark Overton is information security officer at Softcat.
