GDPR: How ready are you?

The race for compliance

Blog

Given the economic importance of the internet and the cost and regularity of preventable data breaches it’s not surprising that enhanced regulation has been introduced.

GDPR is the European Regulator’s attempt to help businesses help themselves when it comes to managing personal data and keeping it secure. When it comes into force on 25 May 2018, it will supersede the Data Protection Act. It also brings headline-grabbing fines of up to 4% of turnover or EUR20m (whichever is greater) for non-compliance…

For those of you that think that Brexit will remove the obligation, think again. The UK authorities have indicated that post-Brexit that they will adopt something substantially similar. In order to understand what GDPR requires we need to understand the context that has driven its development. Let’s take a closer look at some recent breaches…

TalkTalk (UK)

What happened?

Hackers stole the names, addresses, dates of birth, phone numbers and email addresses of 156k TalkTalk customers. Some of these also had their bank account details stolen.

What was the impact?

The cost to TalkTalk was £60m, a tarnished reputation, the loss of 125k customers, and a £400k fine from the Supervisory Authority. Ultimately the CEO resigned.

How did it happen?

The hackers exploited a known vulnerability on a webpage in an inherited infrastructure for which a fix existed. The critical customer data was not encrypted.

Target (USA)

What happened?

40m customers had their credit card details stolen. These details were posted online and purchased by fraudsters.

What was the impact?

$240m in costs, protracted law suits, and the CEO’s resignation. As consumers lost confidence in Target and started to shop elsewhere, quarterly sales were 46% lower than the same quarter the year before.

How did it happen?

Using access obtained electronically through a vendor of Target, hackers inserted malware into Target systems which copied consumers card data and sent it on to criminals. Two separate systems identified malware on Target’s systems and raised alerts. The alerts were not acted upon.

Ashley Madison (USA with an international customer base)

What happened?

The records of 37m registered users of a website that facilitates affairs between married people were stolen and published online.

What was the impact?

Customers were blackmailed, four of whom committed suicide, a planned IPO was cancelled, a $578m law suit was launched and the CEO resigned.

How did it happen?

No one really knows how the data was obtained. One theory is that an employee copied the database. The user passwords to the database were encrypted, which should have protected the stolen data. However, research suggests that passwords were poorly encrypted. Worse still, Ashley Madison’s IT teams knew of the password encryption weaknesses and made ‘go-forward’ changes without going back to fix the earlier records.

The impact was made worse because the company kept personal data that was not required. When stolen, this allowed users to be identified with certainty. The data included real names, home addresses, search history and credit card transaction records.

A review of data breaches is not enough to get the full picture, let’s take a look at the facts…

Data breach statistics

  • It is estimated that 5.5m data records are lost or stolen every day, with over 9 billion records lost or stolen since 2013.
  • According to Symantec, 430m unique forms of malware were discovered in 2015. That’s more than 1m per day.
  • Juniper Research estimated in 2015 that the cost of data breaches was around USD 500bn, and will quadruple to USD 2.1tn by 2019, representing 2.2% of global GDP.
  • One recent study of reported data breaches stated 93% were avoidable. According to a Verizon report, 70% of outside attacks rely on known vulnerabilities, some of which date as far back as 1999. The report shows ten known vulnerabilities accounted for almost 97% of the security exploits for 2014, and 85% in 2015.

The requirements of GDPR are essentially a litany of lessons learnt from data breaches such as the ones examined above…

As we can see above, the components of GDPR that relate to data security represent a response to key trends and events in the market. GDPR seeks to recognise the issues in the existing data protection landscape and ensure that enterprises are held accountable. And the new rules are backed by stiff fines to help businesses help themselves as they race for compliance. Our tool can help companies assess whether they’re ready for GDPR and avoid these devastating fines.

“GDPR seeks to recognise the issues in the existing data protection landscape & ensure that enterprises are held accountable.”

You won’t believe how much of your personal data exists online or the ways it’s being used.

GDPR is not only concerned with security, it also covers data privacy. Data does not have to be stolen for there to be a breach of privacy – it can simply be used in ways that were not explicitly approved of. With the growth of data science and mountains of data in our everyday lives, there are now scenarios where data can be used that were unthought of not so long ago… Let’s take a closer look.

Predicting your voting preferences

Personal data is alleged to have played a role in the recent US Presidential election. The data analytics company said to have helped publicly states on its website: “We have a massive database of 4-5,000 data points on every adult in America”. It’s alleged that this data was used to find voters through personally targeted messages who could be convinced to vote for Mr Trump as well as supporters of Mrs Clinton who could be persuaded to stay at home. There are allegations that similar methods were used during the Brexit referendum.

Predicting your spending habits (and offering special deals from affiliates)

In some countries (not the UK as far as I know), banks have knowledge of the items purchased as well as the location, the shop, the amount and time – basically the full receipt. That data is combined with the geo-location data that the bank receives from your mobile banking app to predict – with a high degree of accuracy – what you are likely to buy in that location. So, say you were about to arrive at your favourite restaurant, you may receive a message about another offer in the area from a restaurant who has partnered with your bank.

Data privacy is subjective. You may look at the spending habits example and think “what a fantastic convenience, think of all the money I will save”. Alternatively you may be filled with horror that unknown people are able to watch and predict your actions. GDPR recognises the range of responses and makes data privacy a choice. Firstly, there must be transparency of the uses of data i.e. you must be told how your data is being used, and then you must give explicit consent.

How does GDPR address privacy matters?

GDPR mandates that:

a) Data must not be used without explicit consent. GDPR gives individuals the right to sue those that use their data without their explicit consent. If you do not want data scientists to be able to predict how you will respond in certain scenarios, you can simply opt out.

b) You have the right to be forgotten. A consumer can ask for their data to be deleted. This is the ultimate form of protection – you cannot have your privacy breached if data about you no longer exists.

c) Data cannot be shared with other parties without explicit consent.

After recent developments in the uses of data, the GDPR response is to give control back to the consumer by giving them choice. Consumers will be told how their data is being used and give explicit consent for it to happen. Obtaining explicit consent will be a time-consuming task for most organisations to say the least. But, this consent is subject to audit and sanction, including the right of individuals to sue for unapproved use of their data.

It’s not just the banks that have to comply…

The approach that the regulatory bodies are taking to implement GDPR reminds me of the approach taken to client money protection. In the UK, the introduction of the CASS rules became one of the biggest headaches and sources of fines for financial service regulators. In my estimation, GDPR will quickly replace it due to the similarities in approach to regulation…

  1. Appointing an accountable executive.
  2. Potentially large fines (the largest CASS fine is greater than £120m).
  3. The exacerbating and mitigating circumstances, used to calculate the fines are similar (such as how the breach was found, the duration of the breach etc).
  4. Self-policing and self-reporting of breaches and incidents.

I expect that much like with client money breaches we will see GDPR-related censures published by the supervisory authority with key points of failure described. Those documents will be pored over by responsible people in other organisations desperate to avoid the fines, public censure or an actual data breach resulting in financial loss. Client money only applied to a select few financial institutions in the banking industry, whereas GDPR covers all industries. There are many businesses out there holding personal data who will be in for a huge shock at how much work there is to do and the costs of non-compliance.

“There are many businesses out there holding personal data who will be in for a huge shock at how much work there is to do & the costs of non-compliance.”

Think about how you can reduce the effort required to comply with GDPR and how you can maximise the benefits of your compliance efforts.

The biggest single task is likely to be data discovery. Knowing what data you hold and where you hold it is the foundation of complying with GDPR and should be one of the first tasks addressed. Given that many institutions have large amounts of data and less than 12 months until GDPR kicks in, discovery may need to be accelerated. Deployment of specialised software and artificial intelligence may help.

For those planning further forward, GDPR should not be considered in isolation. Data underpins the digital economy and is crucial to the competitiveness of many businesses. GDPR compliance should therefore be a component considered as part of a wider data strategy along with digitisation and the efficient deployment of technology. Leveraging the mandatory requirements of GDPR to develop a data strategy is an efficient way to ‘kill two birds with one stone’. Those who don’t have a strategy should seriously consider developing one very soon…

New rules enforced by heavy fines come into place in 2018. Who will be the first to be made an example of and will they go out of business?

The digital world continues to grow at an exponential pace. With that growth comes an explosion of personal data and greater risk of data theft and privacy breaches. The digital economy requires trust, transparency and privacy to continue to thrive. GDPR is Europe’s attempt to address issues likely to stymie its growth and they’re enforcing it with potentially ruinous fines.

Will the threat of a GDPR enforcement be enough to improve market standards? I believe that the threat alone is not enough. The costs of a data breach are significant and in many past instances, the CEO lost their job. Surely this should have already been enough to encourage the custodians of personnel data to operate at the top of their game and protect it? Unfortunately not.

We’ve learnt that 93% of breaches were preventable (think old patches, poor passwords and ignored alerts), so the relevant authorities will be forced to levy some very stiff fines to get people focussed. The £400k fine levied on TalkTalk under the ‘to be superseded’ Data Protection Act is miniscule compared to those that can be imposed under GDPR. We should expect an example, in the form of a huge corporate fine, to be made.

Despite the costs of a breach and the step-change in the possible size of fines, I am surprised at just how little is being done to be ready for GDPR when it comes in on 25th May 2018. Research from Veritas shows that 47% of the respondents fear their organisation won’t meet the requirements of the legislation, with 18% worried non-compliance could ultimately put their organisation out of business.