Businesses must quickly shore up cybersecurity defences and regulators in charge of GDPR fines should enforce compliance
Monday, May 25, 2020, marks the second anniversary of the launch of the General Data Protection Regulation (GDPR). The European Union attracted worldwide acclaim in 2018 when it rolled out the first data-protection legislation, but has since been criticised for not going after big tech companies. In November NSA-whistleblower Edward Snowdon labelled GDPR a “paper tiger”. Organisations are, however, changing their behaviour concerning data protection, according to new research published by Tanium, an endpoint security and systems management company based in California.
“GDPR has been a forcing function for many chief information security officers (CISOs) to overhaul longstanding IT systems and policies rapidly to better safeguard consumer data,” says Chris Hodson, CISO at Tanium. “This has been costly, with our research showing the average large organisation in the United Kingdom has spent £53.5 million on compliance with GDPR and equivalent international regulation.
“Despite this increased investment, organisations still feel unprepared to deal with the evolving regulatory landscape, with 37 per cent of IT leaders claiming that a lack of visibility and control of computing devices is the biggest barrier to maintaining compliance.”
While there has been increased spending on regulatory compliance because of GDPR, there is a growing worry that the move to home-working has raised potential issues of data protection.
RISE OF UNKNOWN DEVICES
“Our research found that 93 per cent of IT decision-makers have found unknown computing devices such as laptops within their IT environment, and 71 per cent of global CIOs discover new computing devices on a weekly basis,” continues Mr Hodson.
“This lack of visibility has been exacerbated during the pandemic, as many organisations have allowed employees to connect their personal devices (BYOD) into the corporate network. This sudden rise of unknown devices presents an increased risk as a single missed computing device could be a compliance violation waiting to happen.
“The first step to compliance must be gaining real-time visibility of all computing devices to improve IT hygiene, effective risk management, and regulatory compliance.”
The Information Commissioner’s Office (ICO) has scooped up an estimated £315 million in fines from UK businesses through GDPR, including more than £99 million and £183 million for data breaches of Marriott International and British Airways respectively. The ICO has handed all the money to HM Treasury’s Consolidated Fund, which is used to “pay for vital public services like the National Health Service, policing and education”, a Treasury spokesman told MillGens.
An ICO spokesperson added: “Good information handling makes good business sense. It enhances a business’s reputation, increases customer and employee confidence, and by making sure personal information is accurate, relevant and safe, saves both time and money.
“Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and to report serious security breaches to the ICO within 72 hours.
“Organisations should regularly review, and if necessary improve, their security measures and data governance practices to ensure that they are taking the appropriate measures to safeguard the personal data they hold.”
TIME TO DIAL UP THE PRESSURE
Pete Watson, Chief Executive of Atlas Cloud, a company that has been pioneering the increase in remote working for a decade, believes GDPR will start to dial up the pressure on businesses. “Footballers get an easier ride in their first season, and so are businesses in the way they handle GDPR,” he says. “But the long-term trends show that this will change.”
In an open letter to the Treasury, published exclusively on MillGens on Saturday, Mr Watson called for the fines collected by GDPR in the UK to be put to good use: specifically helping disadvantaged children improve their career opportunities with technology.
“Now is the time to hear that more than £315m in fines the ICO has collected for GDPR breaches are being put to good use and spent on giving disadvantaged children laptops so that they can participate in homeschooling and the jobs market much more effectively over the coming years,” he says.
“As we mark the second anniversary of GDPR it’s important to acknowledge the emergence of conflicting trends, which are influencing how businesses and the public view data protection.
“The emergence of the world’s largest global health emergency in more than 100 years and the resulting economic shock makes data protection seem less important in the short-term. Indeed, to this end, it is important to acknowledge that the Information Commissioner’s Office has recognised that COVID-19 could temporarily impact businesses ability to comply with data protection law. As such the ICO say they expect to conduct fewer investigations and focus their attention on those circumstances which suggest serious non-compliance.”
TRENDS SHOW IMPORTANCE OF DATA PROTECTION
Mr Watson continues: “However, there are two other overriding trends which mean data protection will become far more important in the coming months and years. The first trend is that consumers are becoming much more aware of the importance of their personal data and the value of their personal data to businesses and political organisations as exposed by the documentary The Great Hack and the fact that 50 million people had their Facebook profiles harvested and mined without their knowledge and consent. This has led to the emergence of organisations like the Own Your Own Data Foundation.
“The second key driver is that COVID-19 has led to the largest overnight change in working habits in world history. This has resulted in hundreds of millions of people changing from being office workers to working from home.”
Atlas Cloud has created one of the most extensive surveys of British working habits since the lockdown began, examining the practices of more than 3,000 office workers. The research shows that a quarter of workers (25 per cent) are using a personal laptop for home working and more than half of those (58 per cent) are storing work files on their personal device.
Mr Watson adds: “When this happens, organisations face having sensitive business information stored on dozens and sometimes hundreds of devices across Britain and across the world. To be GDPR compliant, the use of personal devices should only be authorised where the security of the data stored on the device can be guaranteed.
“This huge overnight switch in the way that people are working means it is highly likely that thousands of businesses across Britain are not properly complying with the GDPR legislation.”
IGNORING GDPR IS COSTLY
Matt Lock, Technical Director UK at data security firm Varonis, agrees. “Reports that the ICO isn’t taking forward any cases and delaying current ones sends the message that regulators have pressed pause for the time being,” he says. “There isn’t time to lose – the public needs to know safeguards will remain firmly in place and that companies that stray from GDPR requirements will be held accountable.
“Especially at this time when personal data is being shared and processed in efforts to manage the pandemic. It may be tempting to bend the rules now, but industry and regulators can’t turn the clock back.
“Ignoring data protection in the short term only opens the door to long term issues. The pandemic forced companies to get their teams up and running remotely. In the rush to remote work, many organisations eased access and normal safeguards to ensure everything could remain business-as-usual. In doing so, they widened the attack surface. No doubt, some companies have been compromised and don’t know it yet. In the weeks and months ahead, expect to see a slew of disclosures to the ICO.”
Mr Lock concludes with a warning: “Companies and regulators must prepare for an upcoming wave of targeted cybercrime. Attackers typically encrypt data and hold it for ransom. In the months and years ahead, sophisticated attackers will go after valuable ‘big game’ targets and quietly steal important information before they encrypt it. Victim organisations will be forced to pay twice – once to get their data back and again to pay off the attackers out of fear that their biggest corporate secrets will be spilt.”
On the second anniversary of GDPR, it’s clear more work needs to be done, by both businesses and regulators.