GDPR
By Thorsten Kurpjuhn, European
Market Development Manager
at Zyxel
www.zyxel.com
Following the flood of opt-in/opt-out emails that hit our
mailboxes last spring, ahead of the introduction of the
General Data Protection Regulation (GDPR) on 25 May
2018, silence has fallen over the topic. To some extent, the
uncertainty about the legal implications of the legislation
still prevails and businesses have, in the meantime, buried
their heads in the sand under the assumption that it won’t
impact them.
As a result of the laissez-faire attitudes towards GDPR
to this day, we’ve seen GDPR fines total €56m in its first
year, with more than 200,000 investigations, 64,000 of
which were upheld. The total fines issued to date remains
dominated by the €50 million issued to Google by France’s
national Data Protection Commission CNIL.
The approach and reaction to GDPR widely differ across
Europe. Countries such as Slovakia and Sweden are yet to
issue a single fine, while countries like Poland, Portugal and
Spain have fined companies several hundred thousand
Euros. Germany has seen some of the highest GDPR
activities, with 42 fines imposed, averaging €16,100 and
58 warnings issued. In comparison, while the Netherlands
has issued over 1,000 warnings, only one fine has been
issued, which happens to be one of the highest in Europe at
€600,000. Whether the level of GDPR fines issued is down
to poor compliance in some countries, or less-diligent Data
Protection Agencies (DPAs), in others it remains a grey area.
So where are businesses going wrong when it comes to
GDPR compliance?
Business networks are the weak link
A business’ network is a prime data highway, which makes
it the prime target for cyberattacks. Even if data handling
protocols and procedures are GDPR compliant, these efforts
can be rendered worthless as soon as network security is
breached. Strengthening the network to protect the data
must be a priority for businesses of any size who want
to avoid falling foul of GDPR and possibly facing severe
financial penalties.
Companies are already risking fines of up to €20m or 4%
of global annual turnover, whichever is higher if they are
found in breach. Yet, compliance still remains a challenge.
Arguably, this is because carrying out an email marketing
campaign and updating internal documents is a much
easier exercise than taking concrete steps to safeguard the
network and protect sensitive information.
Cybercrime is an evolving threat that can cause
catastrophic damage. Cybercriminals are using increasingly
sophisticated new ways of penetrating IT infrastructure,
making it difficult for businesses to defend networks and
keep data safe. The harsh truth is that we cannot make a
network completely secure and unbreachable. Thankfully,
that is not what GDPR requires of companies.
The legislation simply specifies that businesses must
do all in their power to ensure data security. This means
On the anniversary of GDPR £56m
of fines have been issued already, so
where are businesses going wrong?
that businesses need a robust and reliable solution that
demonstrates their dedication to control access to and
protection of their digital assets. At this stage, it appears
that most businesses would fail to prove that their network is
as secure as it can be.
The time for stronger security is now
Legislation, including GDPR, is only as powerful as the
enforcement. Moving forwards, Ernst and Young expect
European authorities to become more stringent. “We
expect European regulators to implement their 2019
announcements and increase their fines,” said Ernst and
Young partner Peter Katko. In the next few months, it will be
critical for businesses to step up their game as DPAs begin to
ramp up efforts.
While large companies are able to outsource the task of
putting security measurements in place and maintain them
to Managed Service Providers (MSPs), smaller businesses
often lack the required knowledge and resource. Yet, the
penalties for not dedicating enough effort to introduce
stronger cybersecurity measures can be a deathly blow to
all businesses.
DPAs have the power to not only issue a fine, but to also
impose a temporary or indefinite suspension of processing
data. The aim is to ensure that no more data can be
compromised while investigations take place, but this ruling
on its own could threaten the future of a business, especially
when you consider the serious reputational damage that
would ensue.
To reduce the risks, there are practical steps that small
businesses can take to ensure the corporate network is
aligned with GDPR requirements. Above all, it’s crucial that
they build their networks using the latest cybersecurity
standards and network infrastructures rather than relying
on a standard domestic router with out of the box anti-virus
software. It’s time to move on and reap the benefits of new
tools available.
For example, previously specialist technology, such as
Advanced Threat Protection (ATP) is now moving into
the mainstream and will allow businesses to monitor and
protect their network against cyber threats in real time.
This will be crucial as attacks increase in numbers and their
sophistication increases.
Businesses can’t afford to wait any longer. Not only do
they need to keep up to date with regulators’ guidance
and the enforcement decisions from DPAs, but they must
also review existing network infrastructures to reduce the
risk of cyberattacks. Businesses must also prioritise internal
cybersecurity awareness and education to ensure that
everybody in the organisation knows how to handle data
securely and know what to look out for when it comes to the
threats to the network.
Time has not yet run out, and those who act now can still
prevent sanctions and reputational damage. n
www.networkseuropemagazine.com
23