How to plan your security strategy in time for the Data Protection Act

Henderson Insurance Brokers issues a warning to companies to prepare their cyber security policies in light of new legislative changes.

Henderson Insurance Brokers is advising firms to review their cyber security policies to guard against heavy sanctions when new the EU Data Protection Act comes into force.

The insurance broker, which has offices across the North East in Newcastle, Stockton and Sunderland, is warning business owners to address any cyber concerns before an attack, which could potentially breach the Data Protection Act and lead to the publication of sensitive data about their client base or customers.

The current maximum fine for a UK Data Protection Act breach, which applies to personal data that is processed, is £500,000, but a reform of the EU data protection rules, which will come into effect from 25th May 2018, will see this figure rise to €20 million.

According to professional services firm KPMG, the value of fraud committed in the UK eclipsed £1 billion for the first time in 6 years. In addition, ONS figures revealed that there were 5.6 million incidents of fraud and cyber-crime in the UK, in the 12 months to September 2016.

In light of a number of high profile cyber breaches, Dave Robson, regional managing director at Henderson Insurance Brokers, is advising firms to review their current procedures well in advance of the Data Protection Act, despite the UK’s impending departure from the European Union.

He says, ‘Cyber-crime cannot be ignored, given the rise of the digital economy and several high profile cases of breaches and releases of sensitive data. Penalties for Data Protection breaches are severe, but the new EU directive will deliver much harsher consequences, which will still be relevant to many companies operating in the UK with an international presence when Article 50 is triggered.

‘Business interruption and downtime can be costly enough, but if adequate cyber cover is not in place, this can result in further unwanted expenditure as compensation may not be offered, not to mention any potential fines. At the end of the day, it is how an attack is responded to, which will assist with any mitigating circumstances surrounding a claim.’

Robson is also advising firms to educate staff members and introduce robust procedures to help guard against a cyber event.

He adds, ‘Malware hacks and social engineering are commonplace, which can present themselves as innocuous emails and communication with a business and its staff. While they may seem harmless, if there is any doubt whatsoever, staff should report anything and escalate the potential threat immediately.

‘Data controllers and managers should consider implementing policies that restrict the use of work telephones and emails being accessed and used for personal reasons, as in some cases, devices used outside of the workplace, which contain a virus or have been subject of an attack, can infiltrate the company’s infrastructure when back in use at work.’

Further reading on Data Protection Act

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the Smallbusiness.co.uk and Growthbusiness.co.uk titles before moving on to be a Digital Technology reporter for the Express.co.uk.

Related Topics

Data Protection

Leave a comment