Are you a blogger from the European Union? Do you operate your digital business in the European Union (EU)? Got an online business in the UK? Do you operate as a blogger from the UK? Get ready for a new law regarding the protection of data that you handle from the general public.
Do you use the cookie consent option on your website to conform with the EU law on cookies used on websites? This law regarding privacy disclosure related to cookies came into force and affected even non-EU websites with an audience in the EU nations. Almost all bloggers across the globe were implementing the required cookie consent option on their websites. Your online business, even as an individual blogger or small digital business, will be subject to a new law for data protection from March 2018. Here’s a quick overview of the new law that will come into force next year. Understand the new law and better stay prepared in advance.
GDPR or the General Data Protection Regulation is set to become European law from March 2018. Superseding the current UK Data Protection Act 1998, the new regulation is designed to improve and unify how organisations across the European Union collect, handle, process and store personal data.
As such, the new legislation will expand the requirements of storing personal data, improve information governance and impose stricter sanctions on organisations that fail to take sufficient cyber security measures.
What sort of personal data is affected by the new EU regulation?
GDPR takes a broad based definition of personal data as ‘any information relating to an identified or identifiable natural person’ – including HR data and customer lists. It’s similar to the definition used in the Data Protection Act 1998, but has been deliberately widened to encompass online identifiers such as IP addresses and web cookies.
Who will have to follow GDPR regulations?
In short, all organisations in EU member states that process personal data will be required to comply. GDPR also affects third parties such as cloud service providers who handle and store data on behalf of their clients. It is important to stress that the British government has unequivocally confirmed that the new regulations will apply to all UK organisations, regardless of Brexit.
What happens in the event of a security breach?
One of the many measures enforced by GDPR legislation is the requirement to protect personal data against unauthorised processing, accidental loss and destruction.
According to GDPR, Art. 4, Def. 12, a ‘breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ is subject to sanctions.
Crucially, for businesses that suffer a cyber security breach, the extent of the fines that can be imposed can be punitive – up to a maximum GDPR penalty of €20 million or 4% of global turnover, whichever is greater.
How to safeguard your personal data for the upcoming legislative changes?
The new network and data security requirements under GDPR put the onus firmly on organisations to comply with the impending changes in data protection law. Businesses are therefore strongly advised to review their IT policies to make sure they –
- Gain a full understanding of the importance of cyber security risks and take sufficient measures to minimise their exposure
- Improve their resilience against any online attacks to prevent or mitigate the risk of any stored or transmitted information being compromised by hackers
- Implement security measures for the prevention of unauthorised access to electronic communications networks, to stop the distribution of malicious code and any damage to computer and communications equipment and systems
- Put robust, actionable procedures in place for the detection and investigation of malicious threats including the ability to report any data breaches within a stipulated 72 hours.
How to test your cyber defences and responses for GDPR compliance
Specialist IT security companies offering GDPR and cyber security solutions are well placed to assist businesses to understand and address any gaps in their corporate IT and network security and to be proactive in their threat detection and remediation.
These highly sophisticated IT security providers have a range of specific tools and strategies at their disposal to help organisations to protect their business critical assets and reputations. These include
- Vulnerability assessments
Vulnerability analysis is a process to define, identify and classify security gaps in a computer system or network or communications infrastructure. Managed assessments can help identify and assess your organisation’s risks to personal data, so that the effectiveness of security policies and procedures can be reviewed, improvements prioritised and appropriate resources allocated.
- Managed Detection and Response (MDR)
Managed Detection and Response is an industry-wide term used for a range of additional services and technologies that go beyond traditional protective monitoring and security device management offered by a Managed Security Service Provider (MSSP). MDR will combine the benefits of leading-edge technology, the latest global intelligence and highly skilled security professionals to deliver the capabilities to identify and thwart cyber attacks.
- Penetration Testing
Also known as Pen Testing, this is the practice of using ethical hackers to test a computer system, network or web application for vulnerabilities. Advanced CREST and OSCE registered penetration testers will use multi-layered evaluations to detect security gaps in networks and mobile devices, websites and applications that could lead to data being compromised.
- Red Team Operations
A Red Team Operation or Red Teaming is used to identify a specific vulnerability in the organisation’s IT security defences, where the Red Team acts as a fictitious enemy and adopts a cyber attacker’s mindset. Engaging the Red Team replicates modern adversarial techniques to the fullest extent to test the resilience and ability to manage and respond to an advanced, bespoke attack that targets both physical and virtual defences.