On 25 May last year, the most significant change in data privacy regulations for two decades came into force, the General Data Protection Regulation (GDPR).
Officially known as Regulation (EU) 2016/679, GDPR was billed as “a directive by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU”.
It also looked to address the export of personal data outside the EU, as well as giving back to people control over their personal data, and simplifying the regulatory environment for international business by unifying the parameters within the EU.
And it all came about because of the bad boys; hackers and their cyber attacks and data breaches, as well as the growing controversy around data collection and consumers’ concerns over how it was being used. The GDPR sought to rule out the possibility of gathering data through opt-out consent; something that many businesses had previously deployed.
Almost 12 months on and according to the Government, the GDPR has made more UK businesses increasingly resilient to cyber risks, although companies still have much more to do.
In the Government’s latest annual cyber security breach survey, carried out in the final three months of 2018, 1,566 businesses were asked if they had experienced cyber security breaches or attacks within the previous 12 months. Thirty-two per cent of respondents said they had; down from the 43 per cent in the previous year’s survey, and this drop has been the attributed in part to measures businesses have undertaken to comply with the GDPR.
According to the Cyber Security Breaches Survey 2019: “The new data protection law has encouraged and compelled many organisations over the past 12 months to either engage formally with (cyber risk) for the first time, or in some cases to strengthen their existing policies and processes.
“This has helped to raise the floor in cyber security, with more micro businesses taking action against the risks in 2019 than in 2018. It may help, among other factors, to explain the fall in the number of businesses, especially micro businesses, experiencing breaches or attacks since 2018.”
Cyber risk expert Ian Birdsey, of international law firm Pinsent Masons, has stated that “while some SME businesses have taken certain limited steps to prepare for the GDPR… a high proportion of those organisations are not prepared for a data breach and have not taken essential security steps either to prevent an incident, for example by implementing multi-factor authentication for systems access, or be in a position to respond to an incident, such as by activating logging”.
Despite all the progress made since last year only a minority of micro and small businesses have written cyber security policies or a formal incident management processes in place, or have arranged any form of specific training, or have senior staff with a particular responsibility for it as part of their job role. Conversely, GDPR has accelerated the pace of change across organisations and businesses are now seeing cyber security as a higher priority more than ever before.
As for large businesses, the Government report found that more of these have board members with a cyber security brief, although it’s still a minority with a disappointing 41 per cent not having it. Instilling better knowledge and understanding of cyber security across board members can be the difference between cyber security being treated as a fairly high priority, or a very high priority.
If you still find yourself confused and concerned about GDPR and your IT security, we can help – talk to one of our security specialists on 0333 241 9301.
Or request a call back by clicking below:
