With the number of data breaches being reported in the UK rising and the Information Commissioner’s Office (ICO) exercising its powers to enforce tougher penalties, what can organisations do to protect their customers and themselves? Robust privacy and cyber risk management is part of the answer.
Figure 1: Personal Data Breach Report by the ICO, 2019
Where fines under previous data protection legislation were limited to £500,000, penalties under GDPR can be up to 2% or 4% of annual worldwide turnover depending on the circumstances.
Hotel group, Marriott International has felt the force of the ICO, with a proposed £99 million GDPR fine following a data breach that affected approximately 330 million guests. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence and implement appropriate security measures.
ICO commissioner Elizabeth Denham said "That's why the law is clear – when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways faces an even larger penalty of £183 million (the biggest issued by the ICO to date), for also having inadequate security. The ICO is yet to announce the details behind its decision but at 1.5% of revenue, there must have been some mitigating factors which have influenced the regulator’s decision.
This raises some important questions for organisations, such as: ‘are we managing personal data well enough to avoid breaches of the GDPR?’ and, if not ‘how can I protect our personal data from a breach and the organisation from penalties and reputational damage?’
What determines the severity of the fine?
Simon McDougall, of the ICO’s management board explained that one factor which determines the severity of the fines was how much attention the companies had paid to their cyber security. “There are scenarios where organisations can have robust systems of controls and things still happen and we understand that and at the same time there are some times when those controls are not as robust and it’s apparent when a breach comes out that things should have been done better.”
It is inevitable that some data breaches will occur regardless of security measures, so 100% privacy can never be guaranteed; as a result, consequences of a data breach will be determined on a case-by case basis. It will therefore vital for firms to be able to understand and explain:
• The event: What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
• The risk: Had the risk of such an event occurring been anticipated and was it the result of malicious, accidental or negligent actions?
• The mitigation: What controls were in place to mitigate the risk and were they operating effectively?
• The history: Have similar data breaches or near misses happened previously and were the root causes identified and rectified?
By having a clear and effective risk management process in place, organisations will have the up-to-date answers to these questions.
Even prior to the enforcement of the GDPR, the European risk management federation (FERMA) emphasized the importance of risk management in aligning with the GDPR Articles and demonstrating compliance.
"GDPR goes to the heart of the way that many large companies operate today and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board's mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company," said FERMA president Jo Willaert.
At Acuity Risk Management, we firmly believe that prevention is better than cure. Acuity Director, Simon Marvell stated "it is time for organisations to wake up to the severity of privacy regulations, be it in relation to the GDPR, the California Consumer Privacy Act, the PIPEDA in Canada or similar international regulations. Compliance should never be a tick-box activity, particularly where security is concerned. By taking a risk-based approach to privacy and cyber security, organisations can demonstrate compliance whilst protecting their personal data.”
How can I take a risk-based approach to protect personal data and my organization?
GDPR involves a risk-based approach to compliance with organisations required to consider the risks of varying likelihood and severity to the rights and freedoms of natural persons. This is a different emphasis from the management of risks to the business which typically focus on financial, reputational and other impacts to the organisation rather than to individuals.
Appropriate risk-based technical and organisational measures must be implemented to:
• Demonstrate processing in accordance with the regulation (Article 24)
• Design processing to implement the data protection principles and integrate the necessary safeguards (Article 25)
• Ensure a level of security appropriate to the risk (Article 32).
In order to understand and manage both privacy and security risks, organisations must evaluate their current risk status. This includes having:
• Records of processing activity in which personal data is identified and mapped to supporting assets and business processes / operations
• Risk Registers for recording, assessing, managing and monitoring risks to the privacy principles and to the security of personal data, including Data protection impact assessment (DPIAs)
• Organisational and technical measures mapped to the relevant privacy and security risks
• Visibility and monitoring of the ongoing status of risks, organisational and technical measures, actions, incidents, audit findings and other relevant data
• Evidence of a diligent risk-based approach to GDPR with accountability for actions and decisions.
These are ongoing requirements meaning that organisations must continuously monitor, review and up-date their processing to comply with the regulation.
With this in mind, solutions such as Acuity Risk Management’s award-winning, STREAM Integrated Risk Management platform is a highly valuable resource for capturing all of the required information in a way that demonstrates regulatory compliance.
STREAM automates processes and reporting for a risk-based approach to GDPR allowing you to:
• Reduce the risk of personal data breaches whilst providing evidence of mitigating controls and DPIAs
• Reduce costs by streamlining tasks to gather, collate, analyse and report on GDPR compliance status
• Demonstrate and provide evidence of a diligent risk-based approach to GDPR to help mitigate fines and other impacts in the event of a personal data breach
• Streamline risk and compliance activities with other, overlapping regulations and frameworks including ISO 27001, PCI DSS, NIST Cyber Security Framework and a wide range of other standards and regulations
• Reduce costs of audits and reporting to stakeholders (including customers) by having information up-to-date and available on demand.
Data protection is an increasing priority for organisations across the world. With the regulators such as the ICO issuing large fines, it is important for organisations to take immediate steps to improve their handling of personal data or risk becoming the next casualty of the GDPR.
As the ICO continues to make decisions on the severity of fines based on precautionary procedures in place at the time of the breach, it is imperative that organisations are able to demonstrate compliance.
STREAM’s risk-based approach provides evidence that personal data continues to be protected with appropriate organisational and technical controls to help mitigate the possibility of a data breach. For further details on taking a risk-based approach to GDPR, please review our previous whitepaper: ‘As GDPR starts to bite, make sure your risk management is in order.’
For more general information about Acuity or STREAM, please visit our website or contact us.