Penalties for businesses hit by cyber breaches are set to increase in 2018 when the European Union’s General Data Protection Regulation (GDPR) comes into effect.
Penalties for businesses hit by cyber breaches are set to increase dramatically in 2018 when the European Union’s General Data Protection Regulation (GDPR) comes into full effect.
The new regulation will threaten firms with fines of up to €20 million (£17.5 million) or 4% of their global turnover – whichever is greatest – if they are found not to have taken proper measures to protect themselves and their customers’ data against cyber attacks.
It will also increase the mandatory reporting requirements for breaches, meaning that it will become more difficult for organisations to quietly sweep incidents under the carpet. Instead, they will be obligated to inform the authorities and the customers whose data has been accessed.
When it comes into effect next May, the GDPR will apply to all businesses working with EU citizens, meaning British firms will be affected regardless of the outcome of the ongoing Brexit negotiations.
Helen Barge, owner of Leamington-based Risk Evolves, warns that the regulation could also see larger firms seeking a share of the cost of the fines incurred after a breach, because the law will widen to hold every organisation in the supply chain responsible.
“If you are a small company supplying a larger business and you have access to or are provided with information about their clients or employees, you need to think very carefully about how you protect that data,” she says, noting that SMEs sometimes overlook critical parts of cyber security.
“From finance to CCTV, data is captured in many forms and is often maintained on the same IT infrastructure. This makes it much easier for hackers who deliberately target vulnerable IT systems.
“We also all work outside of the office and access data via mobile phones, laptops and tablets using public WiFi in cafes, hotels and so on. Criminals know many of us fail to take basic steps to secure access to systems in these environments and will therefore look to infiltrate to get to our information.”
Cyber security experts are waiting to see exactly how the GDPR will be enforced, but many predict that a few firms may be made an example of early on to prompt others to take action.
Although the maximum penalties are huge, in practice the figures are likely to be smaller for businesses that implement “a level of security appropriate to the risk” – but it is yet to be seen exactly what is deemed “appropriate” by the powers that be.