What is GDPR? Everything you need to know as countdown to new cyber security regulation begins

'The WannaCry cyber-attack should serve as a stark wake up call for everyone that cybercrime is real and the consequences can be grave'

Terry Greer-King
Wednesday 24 May 2017 11:39
Comments
If the recent WannaCry cyberattack hasn’t got business leaders to sit up and take notice, GDPR will force them to
If the recent WannaCry cyberattack hasn’t got business leaders to sit up and take notice, GDPR will force them to

Thursday marks a year until GDPR, or the General Data Protection Regulation, comes into effect. That means businesses have roughly 365 days to make the necessary changes to the way in which they operate and manage risk to ensure they abide by the new law.

If the recent WannaCry cyberattack hasn’t got business leaders to sit up and take notice, GDPR will force them to. If the cyber-criminals involved in the WannaCry attack had chosen leak data from their victims rather than encrypt it, the financial consequences under GDPR would have been extensive.

Ultimately, the arrival of GDPR will put the control of personal data back into the hands of the individual, allowing a number of rights including access to their data and the ability to withdraw it. It also means that organisations cannot simply gather data without good reason and must prove that they are doing all they can to protect the data they do hold.

The law applies to any company that is targeting consumers in the European Union and holding or transporting data relating to them, meaning it has the potential to impact companies globally.

GDPR also specifies that organisations have to appoint a specific data protection officer, who is distinct from a risk officer and all IT functions that currently exist. It’s a role that has to sit outside of IT and outside of the boardroom to have the independence to ensure the business adheres to the regulation.

It is vital businesses understand the importance and the responsibility tied to these new regulations.

For example, non-compliance penalties could lead to fines of up to €20m or 4 per cent of a company’s global annual turnover. It’s not a case of opting in or out, it’s a stark case of comply or face the consequences.

While GDPR dictates that organisations must implement appropriate governance and accountability in their processing and protecting of data, it is just as important that we adopt a “neighbourhood cyber-watch” approach and make threats and data security everyone’s concern, not just those with a governance or security role.

According to Cisco’s annual cybersecurity report, today’s average large enterprise can face as many as 70,000 security events per week. The WannaCry attack has shown how devastating malware can be, and how quickly an issue can spread to affect the entire world in a matter of hours.

These threats are more than individuals, businesses and governments can tackle alone. The success of the cybercriminals is in part down to the lack of awareness of attack methods and in parallel, how to secure systems. Nevertheless, a key takeaway from the recent attacks has to be that a large number of organisations weren’t affected and managed to rebuff the assault.

Developing a society that is resilient to cyberattacks implies a willingness by all parties to share knowledge and insight about the latest threats to help reduce cybercriminals success rates and minimise the impact on businesses overall. Keeping a watchful eye on threats and warning those around us of danger has served humanity well as a model of protection for millennia.

Ultimately, cybercriminals are an organisations’ biggest competitor and a country’s biggest threat. The threat environment and the legislative environment are changing.

The WannaCry cyber-attack should serve as a stark wake up call for everyone that cybercrime is real and the consequences can be grave. It is possible to be prepared and to repel attacks, nevertheless the financial consequences of a successful breach are soon to get a whole lot more severe.

We have 365 days and counting.

Terry Greer-King is a director of cybersecurity at multinational technology conglomerate Cisco.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in