ONE year ago GDPR had come into force, and in-boxes were full to the brim with emails asking about "consent". Mandatory reporting obligations for certain personal data security breaches, signalled the start of fundamental change in privacy regulation but what has been the impact?
Pinsent Masons' dedicated cyber team has launched a white paper 'GDPR - A Year In' which looks at the trends across Europe in cyber security incidents.
It offers unique insight into the causes of cyber security incidents, drawing on Pinsent Masons' international footprint. No business is immune from cyber-security threats and our paper draws on our experiences acting for SMEs locally through to FTSE 100 companies in multiple jurisdictions.
Cyber security is high on board agendas. With technology driving innovation, change and growth across all business sectors, vulnerability to cyber attack is a major risk. Whilst technological security measures are crucially important, clear and targeted staff policies, procedures and training are crucial as human error remains a regular cause of breaches.
In our experience, phishing emails are the common entry point of unauthorised access to organisations' systems, making up 34 per cent of data security incidents. The primary focus of such attacks is usually attempted payment diversion fraud but can also extend to ransom demands, cyber extortion or deliberate exfiltration of personal data.
The law now requires organisations to notify the regulator of a personal data breach within 72 hours of becoming aware, unless they can show that it does not present a risk to the rights and freedoms of the individuals concerned.
Clearly, identifying an incident is key. Our research shows that 50 per cent of all incidents were detected within the 72 hour window. However, only 43 per cent of those were picked up by internal processes, with the remaining 57 per cent being alerted either directly by the attacker or by a third party.
A crucial part of responding to an incident is assessing the risk to the people concerned, as this is the basis for determining whether a report needs to be made to the regulator and the individuals affected. Our research shows that 61 per cent of data security incidents were notified to the Information Commissioner's Office (ICO) – the UK regulator - as personal data breaches.
Looking across Europe, it's clear that the ICO has received significantly more notifications than its peers. In the nine months following GDPR's implementation the ICO received on average 1,285 notifications per month, compared to Ireland (492), France (170) and Spain (81).
What we have not seen in the UK (yet) is a fine being imposed under GDPR. The ICO has indicated that a "large fine" can be expected within weeks. Across Europe, the French regulator has fined Google €50 million under GDPR provisions and the Polish regulator has issued a fine of approximately €220,000 for a company's failure to provide adequate notice to individuals of how it was handling their information.
Cyber security will remain a challenge for all organisations, large and small. Attackers are increasingly sophisticated and developing new strategies constantly. Keeping one step ahead can be difficult, but whatever changes, one thing is consistent, human weakness will continue to be the attacker's best ally.
:: Laura Gillespie (laura.gillespie@pinsentmasons.com) is partner (litigation & regulatory) at Pinsent Masons in Belfast. The firm's dedicated cyber team offer 24/7 support via 020 77416127.
