Data complaints up 160% – should we be worried?
The General Data Protection Regulations (GDPR) only came in to force a little over three months ago – May 25 to be precise – yet in the five weeks following their introduction, the UK’s Information Commissioner’s Office (ICO) recorded 6,281 complaints relating to data breaches and misuse; a 160 per cent rise on the same period in 2017.
GDPR has succeeded in increasing transparency around breaches, as well as empowering consumers to report companies when they feel their data has been mishandled, but is such technical security overkill and should it be the IASME, the information assurance standard for SMEs, which we focus on more?
Or is it a simple case of “education, education, education”, to quote a certain former Prime Minster, because in many cases the reason for data breaches has been user errors such as emailing the wrong person?
When GDPR was introduced it was billed a sweeping overhaul of the European Union’s data protection regime, and it saw the introduction of fines of up to four per cent of annual global turnover for businesses that suffered data breaches.
The data gathered after GDPR came into force suggests that the legislation has succeeded in increasing transparency around breaches, and an ICO spokesperson has stated: “It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations.
“Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too."
Much of the 160 per cent increase in data breaches and misuse could be attributed to complaints against high-profile companies such Facebook and Google filed by privacy campaigners at the consumer rights organisation Noyb.
Those complaints accuse the two companies of forcing consumers into providing consent for data processing in a take it or leave it deal, which Noyb argues is against the principles of the law.
Before GDPR there was IASME – Information Assurance for Small and Medium Enterprises – which was designed to ensure that businesses were securing their data as much as possible through a benchmark based on the international security regulation ISO 27001, which deals with the management of companies IT systems.
Post-GDPR, IASME is still very relevant and it demonstrates to your customers and suppliers that their information is being protected. It’s only been with us for around seven years and came about because ISO 27001 was deemed too complex for SMEs.
Running parallel with GDPR and IASME is Cyber Essentials, the UK Government scheme aimed at getting all businesses to be able to manage their IT security up to a certain standard by helping them to implement basic levels of protection against cyber-attacks, and as with IASME it shows your customers and suppliers that you take cyber security seriously.
Cyber Essentials is a priority if your business wants to deal with the MOD or the Government, and it comes in two forms; the standard, self-assessment and the Plus version which requires the self-assessment as well as an onsite audit which involves the assessor to perform a basic vulnerability review to ensure that security best practices are being performed.
So, are we in a state of technical security overkill? The answer is most definitely not. Cyber criminals are doing everything to stay one-step ahead of the game – although it most certainly is not a game.
Breaches do keep occurring, such as the latest high-profile one affecting airline British Airways which has seen the personal and financial details of around 380,000 of its customers stolen. GDPR, IASME and Cyber Essentials all help in their own ways to try and thwart these attacks which are becoming more and more sophisticated.
If you’re serious about ensuring that your business data is being protected – and you should be otherwise you shouldn’t be trading – and if you want to improve your business reputation you should look at becoming Cyber Essentials and IASME certified, and if by now you’re not GDPR compliant then start asking question of your managed service provider.