CS1907

More documents

Recommendations

Info

GDPR GDPR BARES ITS TEETH WITH THE ONE-YEAR ANNIVERSARY OF GDPR COME AND GONE - AND THE FIRST FEW HEFTY FINES NOW IMPOSED BY THE REGULATORS - WE LOOK AT WHAT IT ALL MEANS FOR THE FUTURE OF THE INDUSTRY The General Data Protection Regulation (GDPR) shook things up in a way that hadn't been seen in a long time. More specifically, it signalled the biggest overhaul of EU data protection law in more than 20 years. The GDPR replaced what had been the current EU Data Protection Directive to create a unified data protection legislation covering all individuals in the European Union. It affected any business which had access to, or processed, the personal data of an EU resident, regardless of where the business was located, inside or outside the EU. It arrived more 'softly, softly' than with a snarl, perhaps suggesting that its teeth had been pulled before it was ever liberated from the cage. Indeed, many thought the GDPR was more about handbags at dawn, rather than real action. Administrative fines for companies may, in the most serious cases, go up to a maximum of 20 million or 4% of annual global turnover (whichever is greater), which may amount to billions of euros for the tech giants, in addition to other sanctions such as orders to halt data processing. "While the fines issued during the GDPR's first year have been much less than such maximum amounts - for example, Google was fined 50 million by the French CNIL, far below the maximum of approximately 3 billion - data protection authorities, such as that of Ireland, have warned of fines to come being "substantial," says TBS Business School Law Professor Gregory Voss. "That we haven't seen more large fines to date is due in part to the GDPR fines only applying to data protection violations since May 25, 2018, and the fact that it takes time to conduct investigations." However, with a couple of big hitters now in the stocks over breaches of GDPR, the tide may be turning. First up to be targeted was British Airways. The ICO's announcement on 8 July that it plans to fine the company £183.39m in relation to its high-profile data breach has sent a very clear message that the data enforcement landscape has well and truly changed. The fine relates to a cyber incident notified to the ICO by British Airways in September 2018 - and would be by far and away the largest fine handed out by a European data protection authority (at least as I write now! - Ed). HITTING THE SPOT "It is interesting to note that British Airways owner IAG released an announcement to the market and the ICO has issued its press release, despite the fact the ICO's intention to 10 computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
GDPR fine is preliminary," states Ashley Hurst, partner and head of tech, media and comms at international legal practice Osborne Clarke. "Historically, fines were announced once the final decision regarding the amount of that fine was reached. It may be that the size of the proposed fine and the listed status of British Airways was such that there was no choice but for IAG to publicly announce the size of the intended fine." The proposed fine will also provide encouragement for a rapidly growing group of claimant personal injury lawyers looking to bring post-data breach claims for compensation, he adds. "It is often difficult to attribute a data breach to a breach of the GDPR and even more difficult to prove that such a breach has led to damage and distress, so it will be interesting to see whether the ICO will make any comment about this." Over the last year, speculation has been rife regarding the approach that the ICO will take to fines. "It is now clear that the ICO will not be gradually scaling up from its previous £500,000 maximum: the proposed £183.39m penalty is equal to 1.5% of British Airways' worldwide turnover of £12,226m in 2017," adds Hurst. "This is substantially less than the possible maximum GDPR fine of 4% of worldwide annual turnover, but still startling and demonstrates more than ever that cybersecurity needs to stay on the board agenda." Prior to this announcement, the total value of all fines issued under the GDPR across all EU member states had amounted to 56 million euros. This includes a 50 million euro fine by the French DPA (CNIL) against Google for what the CNIL considered to be a lack of transparency, inadequate information and lack of valid consent, in relation to Google's use of personal data for the purposes of personalising advertisements. And Osborne Clarke’s Hurst adds: "When the decision is finally published, this case should provide some long-awaited clarity regarding the ICO's exercise of its enforcement powers and, in particular, what it considers to be 'appropriate technical and organisational measures' to protect personal data, which is the key technical standard littered throughout the GDPR." ANOTHER BIG TARGET Following on from the BA debacle, Marriott is next up, as it also faces a huge data fine: £99 million for allegedly failing to protect customer data. The hotel chain acknowledged in a regulatory filing in July this year that Britain's Information Commissioner's Office intends to impose the fine under the GDPR. Jake Moore, Cybersecurity Specialist at ESET, had this to say in the wake of the news breaking: "Well, the snowball has surely started to gain momentum now and this just highlights that it's not just UK companies at risk of eye-watering fines either. Other firms who suffered from large breaches post-May 25, 2018, better start saving, because the ICO Gregory Voss, TBS Business School: the relatively low levels of GDPR fines is a reflection of the time it takes to conduct investigations. Jake Moore, ESET: other firms who suffered from large breaches post-May 25, 2018, better start saving, because the ICO clearly means business. FALLING SHORT For Jason Hart, cybersecurity evangelist, Thales, GDPR hasn't improved data protection to the extent many in the industry had hoped. "With the number of breaches being reported dramatically increasing, it's clear the threat of fines and a potential hit to their reputation is only having a small impact on how seriously businesses take their cybersecurity. Worse, just a tiny percentage of the attacks can be considered 'secure breaches', where the stolen data is encrypted, rendering it useless to cybercriminals. Unless businesses are made to adhere to GDPR recommendations such as encrypting data directly it will continue to have minimal impact in the UK." www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security 11
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment NATION IN TRANSFORMATION In
Page 5 and 6: p ent est INFORMATION SECURITY ASSU
Page 7 and 8: editor's focus from the public and
Page 9: True multi-factor authentication wi
Page 13 and 14: case study "Equally, it does not he
Page 15 and 16: product review WEBROOT BUSINESS END
Page 17 and 18: financial focus an online banking u
Page 19 and 20: inside track EDUCATION, EDUCATION,
Page 21 and 22: Webroot empowers businesses with pr
Page 23 and 24: threat intelligence have seen an im
Page 25 and 26: 12th edition of the most recognized
Page 27 and 28: cyber espionage a "sobering story"
Page 29 and 30: CYBER SECURITY europe 9-10 October
Page 31 and 32: industrial cyber security MULTIPLE
Page 33 and 34: endpoint detection and response GET
Page 36: Brookcourt Solutions (A Shearwater

CS1907

Create successful ePaper yourself

Delete template?

Save as template?