Geraldine Strawbridge

Geraldine Strawbridge is a graduate from the University of Glasgow. As the Editor of Cyber Radio, Geraldine is focused on delivering the latest cyber security news whilst making cyber security more relatable to people in their everyday lives.

The GDPR deadline has been and gone. Organisations need to now demonstrate greater levels of transparency, accountability and responsibility in how they are storing and using personal data.

Data is one of the most important assets that an organisation holds, therefore it is vital they can demonstrate they are using this data in a legal and transparent manner, in compliance with the GDPR.

Consumers are all too aware of the value their data has to criminals, and the damage that can be done if it falls into the wrong hands. Data breaches have now become increasingly commonplace and not a week goes by without hearing about a new high-profile breach in the press.

Last week saw the announcement from Dixons Carphone that a major data breach had occurred involving 5.9 million bank cards and the personal data of 1.2 million customers.

The breach predated the 25 May GDPR deadline, so despite the damage to the reputation of the company, it’s likely that any fine imposed will fall under the previous data protection rules in the UK.

Had the breach occurred post GDPR, the company would have felt the full force of the legislation and been fined up to 20 million Euros or 4% of its annual global turnover. Dixons Carphone reported revenues of £10.5 billion in 2017, meaning that the company could have potentially been hit with a massive £423 million fine.

The UK’s regulatory body, the Information Commissioner’s Office (ICO), has yet to announce the exact fine that will be issued to the company, but it’s highly likely that given it’s the second time in five years that the company has been involved in a data breach, it will be fined in excess of £500,000.

The data breach highlights the potential and devastating impact that a breach could have on a business post GDPR.

If a business finds itself in the unfortunate position of being compromised by a data breach, it’s vital they take immediate steps to mitigate any damage.

What steps can be taken to manage a data breach?

A data breach involves the compromise of information to an unauthorised party. In many cases these are cyber breaches via hackers, malware and phishing that result in the loss of credit card data, personal health records and financial information.

To ensure that organisations are equipped to effectively deal with a data breach, they should have an Incident Response Plan in place outlining how incidents will be identified, who will be engaged, how the threat will be contained and eradicated, and how the business will document and report on the breach.

Once organisations are aware that a privacy breach is in process, the immediate concern is to stop the breach from continuing. The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.

If the breach results in a high risk of affecting an individual’s rights and freedoms, then the individual must be notified with immediate effect. The first 24 hours will be crucial in managing the incident effectively.

The longer a breach has taken place without mitigating measures, the greater the risk to the data subject in terms of privacy impact. It will also be vital for organisations to assess what led to the breach to prevent against the same type of incident happening again.

How can I protect my business from a data breach?

To reduce the chance of a data breach occurring, there are a number of steps that organisations should follow:

1. Update security software – Security software should be regularly updated to prevent hackers gaining access to networks through vulnerabilities in older and outdated systems.

2. Identify all information held – Organisations will need to look at the type of personal data held, where it is held, where it was sourced, length of retention, its use, access rights and how it is shared.

3. Regular audits and risk assessments – The new legislation specifies that organisations must conduct regular audits of data processing activities and comply with a set of data protection principles that will help safeguard data. This will ensure that a suitable framework is in place that will keep personal identifiable information of customers secure and mitigate any risk.

4. Staff training – Most data breaches begin with a simple phishing email so security awareness training will be essential in training staff to identify and respond appropriately to the growing range of cyber security threats.

Sign up for our fortnightly newsletter at https://www.cyberradio.com/ to keep up to date with the latest cyber security news and advice on how to keep you and your family safe online.