Think You Ticked All the Boxes for GDPR? Think Again.
GDPR is far more than an IT issue and companies still need to make changes to become compliant.
But, GDPR is far more than an IT issue and companies still need to make changes to become compliant. The threat of large fines focused the minds many company directors ahead of the launch in May but since then they have moved on to other concerns. However, they soon will focus again as the first notices and fines are about to be issued.
The first notice actually has already been issued in the U.K. by the ICO. Canadian data analytics firm AggregateIQ, an organization linked to the Facebook and Cambridge Analytica scandal has received a notice and awaits a fine, but most business owners would struggle to relate such a breach to their own business. In Austria, the first fine issued under GDPR has been to an organization that simply installed a CCTV camera in front of its establishment, however it was angled so it also recorded a large part of a public pavement, which is a breach of the GDPR. This example is easier for businesses to relate by showing that a common activity can be liable for a notice, and a fine, even it's something they hadn't considered covered by GDPR. When the notices start to be published, GDPR will once again be pulled back into sharp focus.
It is time for companies to review their risks, and the biggest single risk of a breach comes from staff either doing something they shouldn't or not doing something they should. It is a requirement under the GDPR to make staff aware of their responsibilities but few go further than making them aware of what to do when they receive an access request. This is a far too simplistic approach when the risk of breaches by staff members unintentionally or intentionally is real.
One of the most common risks is when staff use shadow IT rather than the systems prescribed by the company. A company can lose control of where data is stored if staff adopt unofficial products such as Dropbox. These services and tools are designed to be easy to adopt and often make the staff members' jobs easier but they fall outside of any control. A team may use Slack for internal communication and start to share files and data throughout the company and then this may go on to be opened up to suppliers and customers. All operating outside of any company controlled compliance. Another example is Trello, the web-based project management application. The British government recently exposed official papers and reports, including communications with MI5 and counter-terrorism officers. Files were uploaded to 10 public Trello boards, leaving this information exposed by a simple Google search.
While usually associated with retail, theft by staff is an issue for all companies under GDPR. Salespeople often take customer databases with them to new roles, which is a clear breach, but more worrying is when staff steal data to sell it. Private health company Bupa discovered one of its employees stole details with the details of roughly 500,000 customers. Such data can quickly become available to buy on the dark web, where medical records sell from as little as €1 and a full set of data such as name, date of birth and account numbers sells for €30.
With two-thirds of cybersecurity incidents using phishing, staff can unwittingly cause breaches through falling for such common attacks. Phishing based breaches are designed to hit the soft underbelly of a company's security, the human. Employees can be tricked into opening up a whole corporate network through a targeted or spear phishing attack. These attacks are carried out by criminals and in some instances may be state sponsored such as the attacks by Fancy Bear hackers. In August 2017, Fancy Bears obtained the confidential medical records of international athletes from the World Anti-Doping Agency (WADA). Among those who had records released on their use of banned substances for a legitimate medical reason were British cyclists Bradley Wiggins and Chris Froome.
So, what can you do to minimize these risk?
- Recognize that GDPR isn't wholly a technology problem and that it is an ongoing commitment across the whole company.
- Make staff aware of not only what GDPR is but also why they have a responsibility to protect the personal data of customers and other employees.
- Identify any soft spots for data to leak out of your business. Keep in mind the principle of data minimization. The less data you have the lower your risk.
- Ensure you are aware of who has access to what data.
- Ask your staff what software and services they are using; shadow IT is often seen as "official" as it spreads throughout an organization.
- Make staff aware of how to spot phishing attacks. And create a way that they can report suspicious emails so they do not compromise your network.
GDPR wasn't a one-off event, it is the new reality we all have to work in. Don't let your company be one of the ones that focuses the minds of others by being fined.