The General Data Protection Regulation (GDPR) has fundamentally altered the way businesses collect, store and process data. In contrast to the United States, up until GDPR’s implementation, European businesses weren’t required to notify the authorities when their systems had been breached, meaning many data breaches — and the extent of them — were difficult to quantify. Since coming into effect just over a year ago, GDPR has ensured that European businesses report this information, forcing them to make their data woes public knowledge.
Strictly speaking, the regulation applies to any data regarding EU citizens, not just those held by European businesses, meaning international businesses can also be penalized for infringements. IT Governance states that more than 200,000 cases were reported in the first nine months, with fines totaling €56 million for GDPR breaches across 31 countries. So, since GDPR penalizes businesses that fail to comply with its legislation, we’re now seeing the true cost of data breaches.
More than a year into GDPR, what’s the effect been?
It’s now over a year since GDPR came into effect, and although the impact of the regulation is starting to be felt, there’s still a long way to go before the true security picture in Europe becomes clear.
GDPR requires that organisations must disclose to national data protection agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.
The British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.
Given the situation, careful examination of Brexit’s direct and indirect implications must be made, if we are to better understand the potential ramifications of a “no deal” exit. Let’s begin by looking at relevant regulations.
A brief look at current and future legal frameworks
The EU recently adopted two key pieces of legislation designed to govern cybersecurity and privacy issues. The first piece of legislation, the General Data Protection Regulation (GDPR)1, regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The second regulation, the EU Network and Information Security Directive (NIS)2, provides legal measures to boost the overall level of cybersecurity in the EU.
For its part, the United Kingdom incorporated GDPR into its Data Protection Act 20183 and the NIS Directive into its NIS Regulations 20184, a political choice showing that the UK strategically desires to be aligned and, to a certain extent, compliant with the new EU regulations.
Brands are under pressure to protect themselves and their customers from increasingly sophisticated cyber attacks. With daily media headlines and new regulations, consumers have never been more aware of the threats out there. As a result, businesses are being forced to take the issue of cybersecurity more seriously, facing it head on and putting in place the necessary steps (e.g., encryption, two-factor authentication and key management) to protect their data from hackers.
One avenue that’s not commonly talked about is the value that ethical hackers can have on a business. The common perception is that all hackers are the bad guys. But this is a mistake. As opposed to their Black Hat counterparts, who are out to use their skills on an illegal basis, White Hat hackers use their skills in an ethical manner to keep companies safe. They can be brought in to test and bypass a company’s defences and rather than taking advantage of any vulnerabilities, these are reported and advised on how to fix them.
Jason took part in the making of episode two of the TEDxBristol Podcast “Reflect Rethink Reboot” while at the Techfusion event held in Bristol in June 2019.
In this episode, they take a look a Bristol’s vibrant tech startup scene, meeting some of the founders and startups who are helping Bristol and the south west of England compete on the world stage. They ask what makes Bristol and the south west of England such a special place when it comes to tech startups and what can the rest of the world learn from this little corner of the UK?
Listen the podcast here, or search for it on your favourite streaming platform.
In the final episode of this four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” Cyberwire examine some of the game changing high profile breaches like Yahoo, Equifax and OPM, along with their impacts and lessons learned. Our guest is Dr. Christopher Pierson, CEO and founder of BlackCloak and Jason Hart, CTO for enterprise and cybersecurity at Gemalto.
The Internet of Things (IoT) is on the rise. According to Statista, the number of IoT devices are expected to increase from 23.14 billion to 30.73 billion in 2020. By 2025, that number is expected to more than double to 75.44 billion.
Such projected growth highlights the need for organizations to harden their IoT devices. But are companies adequately prepared to meet the challenges of IoT security?
To answer that question, Gemalto surveyed 950 IT and business decision makers globally for its report, The State of IoT Security.
Jason Hart, CTO, Data Protection, Gemalto, discusses why security and confidence must go hand in hand.
In any industry, confidence is a key trait for a business to be successful.The company itself must understand its operations and ability to deliver what customers want, who in turn must trust the company they’re buying from. If either of these traits are broken, it can spell serious trouble. This is why recent results from Gemalto’s Data Security Confidence Index are troubling and a cause for concern. Let me explain.
As the business world becomes increasingly more competitive, data is emerging as the new differentiator that can set a company apart from its rivals. Having that insight into customer buying habits, product usage and general behaviour can be vital to shaping future business strategies. So, it’s worrying to find out two in three (65%) companies don’t have the resources to analyse the data they have.
In the third episode of their four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” Cyberwire take a look at risk and regulation in the financial sector, specifically how it intersects with cyber security. Joining the podcast are Valerie Abend from Accenture and Josh Magri from the Bank Policy Institute, and Jason Hart, CTO for enterprise and cybersecurity at Gemalto, the program sponsor.
Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.
From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.
Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160 per cent increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4 per cent of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.