Cyber Security advice

Avatu’s Joe Jouhal says that in or out, the best-run organisations will still shake their security all about and make sure they’re ready for new data protection rules they simply can’t afford to break.

As everyone knows, the outcome of the EU referendum has made life a little more uncertain. Organisations have had to take a long hard look at their business activities and investment and growth plans as they second guess the new world future.

Before the referendum, information security had started to pick up some impetus in the best-run, most forward-thinking organisations.

Leaders in these places have already acknowledged that information security is a serious business challenge, rather than something that applies only to the IT department, and are, consequently, giving it the right focus, investment and priority.

The government’s new Cyber Security Centre, which opened late last year, is aimed at building more confidence.

And, in theory, so should the EU’s new, far-reaching, General Data Protection Regulations (GDPR) with their extra security requirements and big penalties. Or this was the case, until Brexit somewhat muddied the waters.

The landscape – before the vote for Brexit

Earlier last year, all EU countries adopted as law the GDPR. This is something of a game-changer when it comes to data and cyber security.

The new law significantly strengthens data protection rules for all EU countries, and for any organisation – anywhere in the world – that wants to do business within the EU, regardless of whether it holds personal or sensitive data or not.

While the regulations came into force on 25 May last year, there’s been a two-year grace period for organisations to get their houses in order before penalties begin to apply.

But, fundamentally, GDPR means, from May 2018:

Organisations will have to report data breaches to the individual people affected, and the national regulator, within 72 hours of discovery. This means they will need to be prepared for fast action after a breach is uncovered and aware that news of a breach will always be public information, and plan accordingly.

EU citizens have a ‘right to erasure’, which means an organisation may have to delete every record they have on a particular person (this is a significant challenge for many, as they don’t actually know what data they have and where every piece is held).

Some companies will need to have a dedicated data protection officer – but not all.

Organisations need to show they have a sound, risk-based approach to data protection and a privacy strategy.

Penalties for rule breaches can be up to €20 million, or 4% of global turnover (this is perhaps the most sobering part of the new rules).

The landscape – after the Brexit vote

We're not yet sure yet exactly when the UK will leave the EU. But we do know it won’t be before February 2019 – at least nine months after GDPR comes into play.

The government hasn’t yet given an indication on the future fate of GDPR or if it will stay UK law; there are bigger fish to be fried first. But the consensus among many experts - including the Information Commissioner -  is that nothing is likely to change – or if it does, it may not change for quite some time.

What we do know for sure is:

If you have clients or market in any part of the EU outside the UK, GDPR will definitely apply to you no matter what happens within the UK – so you need to prepare now

UK Select Committee MPs are also urging companies to penalise CEOs for data breaches that happen in their firms. The Culture Committee – which has responsibility for cyber security and the digital economy - wants to make sure digital security is a priority for chief executives by linking it to their pay. This means the issue of data security is hotting up in the UK, too.

The best advice: just do it anyway, and do it now...before time runs out

The most forward-thinking organisations are becoming GDPR-ready, even if they work only in the UK because the new law is sound for business. Full stop.

It encourages organisations to take data security more seriously, and ensures they are less vulnerable to cyber attacks or data breaches caused by insiders, both of which are potentially damaging or inconvenient for business.

Could you say – hand on heart – that your organisation is prepared for, and could cope with, a data breach, and the associated fallout?

If the answer’s no, you shouldn't need a new law to make you take this seriously. GDPR is focussing the mind for many organisations but - for the good of your business - you should be doing it now, anyway.

Joe Jouhal is CEO with Avatu. This article first appeared in the New Statesman. Download the cyber security report here.

---

Keep on top of cyber security, data protection and Brexit

We’re running a series of briefing sessions to keep people up-to-date with the latest developments on GDPR, cyber and data security and Brexit. They will include a leadership briefing event, a webinar and email updates.

To find out more or join the mailing list email: cybersecurity@avatu.co.uk or call 01296 621121.

---

Could you say - hand-on-heart - you are prepared for a data breach?

If the answer to this question is no, and you need help now, call our security advisors on 01296 621121 or email cybersecurity@avatu.co.uk Or contact us here.

We can help you assess how effective your security arrangements are right now, develop a plan to improve them for the future, and keep you in control.