In May 2018 the EU General Data Protection Regulation (GDPR) replaced the UK Data Protection Act 1998. GDPR gives EU citizens greater protection over their personal data, which can be anything from a name, an email address, bank details, a photograph or a computer IP address, to reshape the way businesses approach data privacy and align data privacy laws across Europe.
The enforcement date of GDPR was 25th May 2018 and businesses found to be non-compliant may face heavy fines in the event of a breach.
The geographical scope now includes the data of all EU citizens irrespective of where the data is processed, and the maximum fine for a breach could be 20 million Euros or up to 4% of annual global turnover.
If you have a data breach you must report it within 72 hours of discovery to the Information Commissioner’s Office (ICO) and notify those data subjects affected ‘without undue delay’ after becoming aware of the data breach. If you can’t identify what’s been breached then you will have to notify all data subjects, significantly increasing the cost of breach remediation.
If you have contracts and arrangements with third parties who process personal data on your behalf, which could include CRM providers, payroll bureaus, pension companies, health cover suppliers and insurance companies, you will remain accountable for the protection of this data and you are responsible for determining if the third party will protect the data appropriately. This will require you to carry out a risk assessment on every supplier you share personal data with.
The changes mean that conditions for consent must be clear and data subjects have the right to request information from the Data Controller of any organisation as to whether or not their information is being processed, how it’s being processed and for what purpose. They have the right to request their information be erased and to stop further dissemination of their personal data.
Start at the beginning and get your house in order. Understand where your risks lie and take action
CORVID provides consultancy services that support a business in identifying its data protection risks, defining an effective management strategy and writing proportionate compliance policies. A well planned and executed information risk strategy can greatly reduce a business’s exposure to potential legal action and liability in the event of a data compromise.
Demonstrate due diligence. Strive for zero vulnerabilities
The first step in preventing a breach is to identify and remove the vulnerabilities that attackers exploit. CORVID’s Vulnerability Scanning service, achieves this through routine scanning across your IT estate, identifying security flaws and providing guidance on managing and mitigating the issues highlighted. In the event of a data breach CORVID Vulnerability Scanning provides the necessary evidence that due diligence has been followed and that no known vulnerabilities existed.
CORVID Vulnerability Scanning ensures minimum impact for the future. Make yourself a hard target
The running of regular vulnerability scans will ensure your internal systems are hardened, meaning if a breach occurs the attacker will struggle to move laterally within your IT environment and extract additional sensitive information from their initial compromise point.
CORVID Email Protection is your first line of defence against the biggest risk of data loss. Don’t place your blame on ‘user error’.
Phishing and spear phishing email attacks have become one of the primary forms of compromise, and are increasingly difficult to identify. CORVID’s Email Protection service removes the onus on the user being the first line of defence, through removal of malicious content and inspection of potentially fraudulent links, drastically reducing the risk of data loss.
Be prepared and don’t rely on luck. Securing your IT estate is fundamental to compliance.
CORVID’s internet security service, part of CORVID MDR, gives protection from attacks and malicious content delivered through internet activity. It protects routine web browsing and prevents malware from beaconing back out through the internet to the attacker, both of which pose a significant risk to the compromise of data.
Our CORVID Network Defence service provides advanced network protection and detection services through detailed network analytics, preventing attacks designed to evade corporate firewalls and anti-virus.
The longer the breach remains, the greater the damage. Time is money
Minimising the impact of a breach can drastically reduce reputational and financial damage, and reducing the dwell time of an attack before it is discovered is critical to keeping the damage to an absolute minimum. CORVID’s Malware Hunting service conducts proactive malware hunting as standard, which aims to reduce the dwell time of an attack to less than 24 hours, far outweighing the reported industry figures of well over 100 days.
You have to know the facts. Not knowing can be disastrous
In the event of a breach, CORVID’s Incident Response service ensures the return to business as usual, and provides forensic level investigation to establish what information was accessed, how it was accessed and when. This information is critical in minimising reputational damage by ensuring Management are fully briefed and know the facts. The ability to access this level of detail avoids the need for blanket notification broadcasts and validates the need for GDPR disclosure, enabling accurate and informed communication with the affected data subjects and business customers.
Want to talk about GDPR and how CORVID’s services can help you comply? Contact us using the form below or call +44 1242 278 787.