From May 2018 the UK Data Protection Act 1998 will be replaced by the EU General Data Protection Regulation (GDPR). The aim of GDPR is to give EU citizens greater protection over their personal data, which can be anything from a name, an email address, bank details, a photograph or a computer IP address, to reshape the way businesses approach data privacy and align data privacy laws across Europe.
The enforcement date of GDPR is 25th May 2018 and those businesses found to be non-compliant after this date may face heavy fines in the event of a breach.
The geographical scope now includes the data of all EU citizens irrespective of where the data is processed, and the maximum fine for a breach could be 20 million Euros or up to 4% of annual global turnover.
If you have a data breach you must report it within 72 hours of discovery to the Information Commissioner’s Office (ICO) and notify those data subjects affected ‘without undue delay’ after becoming aware of the data breach. If you can’t identify what’s been breached then you will have to notify all data subjects, significantly increasing the cost of breach remediation.
If you have contracts and arrangements with third parties who process personal data on your behalf, which could include CRM providers, payroll bureaus, pension companies, health cover suppliers and insurance companies, you will remain accountable for the protection of this data and you are responsible for determining if the third party will protect the data appropriately. This will require you to carry out a risk assessment on every supplier you share personal data with.
The changes mean that conditions for consent must be clear and data subjects have the right to request information from the Data Controller of any organisation as to whether or not their information is being processed, how it’s being processed and for what purpose. They have the right to request their information be erased and to stop further dissemination of their personal data.
Corvid provides consultancy services that support a business in identifying its data protection risks, defining an effective management strategy and writing proportionate compliance policies. A well planned and executed information risk strategy can greatly reduce a business’s exposure to potential legal action and liability in the event of a data compromise.
The first step in preventing a breach is to identify and remove the vulnerabilities that attackers exploit. Corvid’s VARIS Vulnerability Scanning service, achieves this through routine scanning across your IT estate, identifying security flaws and providing guidance on managing and mitigating the issues highlighted. In the event of a data breach the VARIS service provides the necessary evidence that due diligence has been followed and that no known vulnerabilities existed.
The running of regular vulnerability scans will ensure your internal systems are hardened, meaning if a breach occurs the attacker will struggle to move laterally within your IT environment and extract additional sensitive information from their initial compromise point.
Phishing and spear phishing email attacks have become one of the primary forms of compromise, and are increasingly difficult to identify. Corvid’s PERNIX Email Protection service removes the onus on the user being the first line of defence, through removal of malicious content and inspection of potentially fraudulent links, drastically reducing the risk of data loss.
Corvid’s CORAX Internet Security service gives protection from attacks and malicious content delivered through internet activity. It protects routine web browsing and prevents malware from beaconing back out through the internet to the attacker, both of which pose a significant risk to the compromise of data.
Our WAARDEN Network Defence service provides advanced network protection and detection services through detailed network analytics, preventing attacks designed to evade corporate firewalls and anti-virus.
Minimising the impact of a breach can drastically reduce reputational and financial damage, and reducing the dwell time of an attack before it is discovered is critical to keeping the damage to an absolute minimum. Corvid’s PICA Malware Hunting service conducts proactive malware hunting as standard, which aims to reduce the dwell time of an attack to less than 24 hours, far outweighing the reported industry figures of well over 100 days.
In the event of a breach, Corvid’s FENIX Incident Response service ensures the return to business as usual, and provides forensic level investigation to establish what information was accessed, how it was accessed and when. This information is critical in minimising reputational damage by ensuring Management are fully briefed and know the facts. The ability to access this level of detail avoids the need for blanket notification broadcasts and validates the need for GDPR disclosure, enabling accurate and informed communication with the affected data subjects and business customers.
Want to talk about GDPR and how Corvid’s services can help you comply? Contact us using the form below or call +44 1242 278 787.