There has been concern and uncertainty following the result of the EU referendum that Brexit may leave the UK misaligned with the rest of the EU - making digital business and trade that much harder.
Earlier this month consultancy firm KPMG surveyed 100 UK CEOs and found that 60% believe their ability to do business would be hindered once Brexit takes place if GDPR wasn’t implemented. At the time, KPMG global privacy advisory lead Mark Thompson, said that “Brexit poses some uncertainty” and that “the worry amongst this cohort of CEOs is understandable”.
However, a report released this week by the Department for Culture, Media and Sport (DCMS) confirms that that GDPR rules will be applied from May 2018.
Given the quickly evolving nature of cyber security and the increasing number of threats, GDPR aims to strengthen the protection of data held by businesses operating within the EU.
GDPR has a number of requirements, which include:
• a requirement for consent - businesses will need to ensure that all customers know that you have their data and that they consent to the business having that data
• businesses will have three days to report data breaches to both the authorities and customers
• the Right to be Forgotten - customers will have the right to ask businesses to delete all of their data, and to prove that they have
• data portability - the aim being to create an environment where businesses can easily swap their data between different providers, whilst ensuring the data is erased from the old provider’s systems.
• hefty fines for data breaches will be introduced - up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
Minister of State for Digital and Culture, Matt Hancock, who has previously hinted that GDPR would stay in place, upon the release of the report said:
As part of building a country in which people have confidence to use and build digital technology, we are committed to making the UK the safest place in the world to go online. The responsibility for keeping the UK, its economy and its citizens safe is shared.
Every business, charity and institution up and down the country must realise that cyber security is their job as much as it is Government’s. Only when the effort is concerted and persistent can we fully tackle this challenge.
The Review notes that the upcoming General Data Protection Regulation (GDPR) will be key to ensuring strong organisational data protection regimes supported by strong cyber security.
A strong case
The report goes on to explain the government’s stance on GDPR, outlining why it is important for the UK and its digital economy to have a strong framework for data protection and security. Ministers want to incentivise better security, whilst also avoiding “unnecessary business burdens”. It notes that this particularly important given that the UK looks to what opportunities are available from leaving the EU.
The review also found that there is clear public interest in protecting citizens from crime, where it may not otherwise be in an organisations’ commercial interests to do so. The government believes that the breach and reporting requirements and fines under GDPR should fix this, and will “represent a significant call to action”.
However, DCMS has said that it will not seek to pursue further general cyber security regulation for the wider economy over and above the GDPR.
The report explains that GDPR is necessary given the number of failings in the security and cyber market. It points to “information failure”, where organisations do not know which cyber security companies they can trust.
The cyber security suppliers hold more information about the effectiveness of their services than the buyer can get access to, and the buyer does not know whether these will be appropriate for the vulnerabilities in their IT systems. The report states:
While a problem common to many markets, it is particularly acute for cyber security due to its technical and constantly changing nature.
And, obviously, this becomes more problematic as the digital economy continues to grow and the opportunity for cyber criminals to exploit vulnerabilities increases. As was noted at a recent start-up conference in Europe, cyber security experts believe “we are at war every day” and said that we have spent “the last 20 years building an amazing internet without any thought of security at all”.
DCMS notes that given the nature of attacks, many businesses may not know their IT systems have been breached, smaller companies assume they’re not a target when they are, and that companies assume liability lies with their banks or other system providers. Ultimately, they don’t have a grip on their data protection.
The report states:
As a result businesses incur financial losses with the average direct costs of a breach estimated at £36,000 for large businesses and £3,100 for micro/small businesses. The most costly single breach identified in the Cyber Security Breaches Survey was £3,000,000 for a large firm.
Despite the potentially significant financial costs, evidence shows businesses are not doing to enough to protect themselves, both in terms of technical controls but also risk management and incident response. Whilst 69% of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation just over half (51%) of all businesses have actually taken recommended actions to identify cyber risks, and only 10% have a formal incident management plan. Only 17% of businesses say their staff attended some form of training on cyber
security in the last 12 months.
This news should ease concern for businesses that were worried about being out of sync with the rest of the EU when it comes to data protection and guidelines. However, 2018 isn’t far away and the risk of getting this wrong could be substantial for companies - the fines being proposed are hefty. And beyond that, reputational damage from a breach should never be underestimated. Lots of work to do.