Age of Consent

GDPR and the evolution of cyber security

We’ve all be getting those emails over the past month, with a multitude of messages from companies pleading with you not to leave them. Some of us delete them immediately, paying no attention. But if you or your business are concerned about cyber security, this is an important development that means new obligations for companies and organisations collecting personal data as well as giving individuals a lot more power to access the information that’s held about them.

The emails are a response to the EU’s General Data Protection Regulation (GDPR) and the UK government’s new Data Protection Act, which replaces the version passed into law in 1998. These laws aim to give you more control over your personal information online, thus reducing the amount of spam you receive in your inbox. Therefore, companies that own data about you have been getting in touch asking whether they can retain that information.

 “The transition and implementation of security protocols and systems can be long and expensive, especially for small and medium-sized companies.”

A new security infrastructure is now taking shape for global protection against cyber attacks and mismanagement of data. Each new item of legislation aims to counteract the exposure of companies and private individuals to threats. With major data breaches last year at the NHS, Uber and Equifax and cross-border cyber attacks like the WannaCry and NotPetya malware, corporates are increasingly introducing controls and systems. By reducing the risk of exposure and elevating awareness, they could save millions while providing protection to stakeholders.

However, the transition and implementation of security protocols and systems can be long and expensive, especially for small and medium-sized companies. Two in five small businesses saw at least one breach last year. This is a significant proportion, and small businesses are less likely to have formal cyber security policies, staff training or even sought guidance.

With GDPR coming into force in May, it is expected that businesses will achieve better standards of control over data usage and processing as well as implement security requirements and protocols. This is a positive step forward, but strict implementation has put pressure on small businesses in the UK and Europe, which are struggling to comply with the new regulation.

The regulation creates a legal framework for companies doing business with any EU country or managing an EU resident’s personal data. It establishes protocols and standardised means to collect, process and administer information. It aims to provide a secure infrastructure to protect data owners from misuses and exploitation while protecting firms from cybercrime. It makes companies liable for data breaches that could harm users and sets strict penalties for non-compliance.

Again here though, preparedness has been poor. Some companies have had to shut down their websites, or even their activities, while others had to reshape the terms of agreement for their users – some of which were perceived as going to far. We’re back to those emails. Stay on my mailing list! Agree to my new, complicated terms! The limitations on the use customers details and the consent requirement is limiting companies’ ability to communicate with the public, and their data bases are being significantly reduced or have no marketing value anymore.

Hours after the GDPR was up and running, websites like Chicago Tribune and LA Times went dark in the EU. Some companies are going further, temporarily blocking European users from their servers. This was the case at Instapaper, owned by American company Pinterest, and media network A+E. And others like inbox management firm Unriol.me, political fundraising organisation Crowdpac and social media analytics service Klout are completely withdrawing services from the EU.

Facebook, Instagram, WhatsApp and Google have already faced complaints about GDPR non-compliance after allegedly forcing users to agree to their terms of service when under the new regulation consent should be given freely and without pressure. These companies could face fines up to £17.5m or 4% of annual revenue.

The project for the construction of the cyber security infrastructure doesn’t end there. The UK government’s Network and Information Systems Regulations 2018, which also came into force in May, seeks to enhance companies’ ability to identify the source of attacks and increase levels of protection and public trust in IT systems. This is part of a five-year plan with investment of up to £1.9bn, complementing GDPR, whose scope is wider and focuses more on IT systems than on the security of data processing.

According to the UK government, this new regulation will affect around 432 companies classified as either operators of essential services or digital service providers. These are mainly in the digital infrastructure, energy, transport, health, water and digital service sectors, i.e., the sectors considered to have the greatest exposure and risk.

GDPR has overshadowed the UK government’s initiative, which is nonetheless an important step towards the establishment of better cyber security practices. It should be taken seriously, as the fines and penalties are just as rigorous and eye-watering as the GDPR ones. There is still a lack of awareness and clarity on the application process and on whether both regulations overlap, making it even harder for businesses to comply.

Although companies have had time to prepare, this initial shock wasn’t unexpected, as the operational implementation of the new regulations has proven to be time and resource consuming and expensive. Nevertheless, it is an enormous step into the next generation of cyber security systems and is improving ways of doing responsible and transparent business as it responds to the needs of an already interconnected world.