The European Union’s General Data Protection Regulation (GDPR) has been hailed as the strongest privacy and security law to be passed. At its center, GDPR is about giving citizens of the EU more control over their personal data, streamlining and simplifying the data collection regulations across Europe.
It isn’t only countries within the EU that must abide by — or are affected by — GDPR rules, either. It also imposes obligations on companies and organizations outside the EU if they collect data regarding people inside the EU.
In the United Kingdom, the GDPR regulator is the Information Commissioner’s Office (ICO). Even with the UK leaving the European Union following Brexit, Elizabeth Denham, the UK Information Commissioner has said that it is still crucially important that businesses comply with GDPR.
One of the significant focuses of GDPR is on data breaches or data loss. Under the new, stringent rules, organizations must quickly report personal data breaches rapidly after becoming aware of them. There are additionally new fines that have been introduced to punish those who have improperly safeguarded the data in their care by using the right measures such as data encryption.
In the most severe cases, data breaches or data loss can result in fines of up to 18 million British pounds ($24.5 million) or 4% of annual global turnover, whichever figure is greater.
Data breaches continue to happen
Despite this, reports of data loss or data breaches continue to increase. Such incidents may come about due to a range of factors, whether it’s human error or outside cybersecurity related attacks.
For example, in the second quarter of 2020 there were a total of 2,594 data incidents reported by the ICO. Of these, 258 were the result of phishing attacks, 152 from ransomware, 190 from unauthorized access to systems, 402 of data being erroneously emailed to the wrong person, 266 of data being posted or faxed to the wrong person, and 141 of loss or theft of data left in insecure locations. (This is only a sampling of the incidents in question to give a sense of the breadth of scenarios.)
While most would like to believe security is getting better over time, this Q2 figure of 2,594 data incidents represented a sharp rise from the 1,446 reported incidents in Q1 2020. This may reflect some of the significant changes during the April through June quarter of last year, in which the spread of the COVID-19 coronavirus pandemic meant that many people were now working remotely, rather than sharing a physical office.
This opens up new potential challenges when it comes to compromised data, such as greater reliance on communicating remotely with colleagues, stakeholders, and others (sending attachments by email rather than handing over paperwork in person or via internal post systems) and overall increased use of technical infrastructure for making remote work and system access possible.
Making sure data loss doesn’t happen
Ensuring that these data loss incidents do not continue to happen is crucial — whether because of the significant fines they can result in, eroded trust on the part of customers, or a number of other reasons.
In some cases, where human error is involved, the answer is better education of employees. Trusting human actions to carry out certain tasks is always going to result in a certain number of incidents. People can learn from their mistakes, and hopefully these lessons can be passed onto other employees as well, but it is impossible to ever reduce the number to zero.
However, successful cyberattacks which involve social engineering (i.e. attacks that involve the manipulation of people so that they perform certain damaging actions or give up confidential information) can be reduced through training. For example, teaching people to question suspicious links or attachments in emails can help reduce the spread of malware that may result in data breaches.
Use the right tools for the job
It is also important to make sure you utilize the right tools for the job to help protect confidential data. Ensure that you use strong encryption so that data is rendered useless outside the settings in which you want it to be accessed. Strong encryption alone won’t stop cyberattacks, but it can greatly reduce their effectiveness and some of their most damaging repercussions. The process of data masking and encryption makes it possible to obfuscate data so that, even if it was somehow extracted, it would be unreadable.
Other tools can additionally help ensure comprehensive protection against attacks. Cybersecurity measures like Web Application Firewalls (WAFs) monitor for suspicious traffic and block it, while continuing to allow good actors through. Database firewalls, meanwhile, can assist in blocking SQL injection and other threats, while database activity monitoring keeps tabs on the systems that organize your data — be that data warehouses, relational databases, etc. — and generate real-time alerts if and when problematic behavior emerges.
Employ the right measures and you should never have to worry about successful attacks or other data breaches; let alone the potential data protection ramifications of such an incident.