Nearly half of UK businesses don’t have a formal cyber strategy in place, and 40% wouldn’t know who to contact if they were victims of an attack, according to a new survey.
Published by the Institute of Directors (IoD) and Barclays, the survey found that, even though the vast majority of respondents considered cyber security to be important to their business, only 45% had a strategy in place to defend against the risks.
Cyber security and the GDPR
The fact that so many businesses don’t know who to contact if they are breached is particularly concerning given the imminent arrival of the EU’s General Data Protection Regulation (GDPR).
From 25 May next year, the GDPR will come into effect. Among its requirements is the need to report data breaches to a supervisory authority if the breach is “likely to result in a risk to the rights and freedoms of individuals”.
In cases of personal data breaches, the individuals affected will also have to be informed.
Failure to report a breach to the supervisory authority or data subject will see organisations facing fines of up to 2% of annual global turnover or €10 million – whichever is greater.
However, if an organisation is found to have violated basic principles related to data security or consumer consent, that fine could be as much as 4% of annual global turnover or €20 million.
Who to contact
In the event of a data breach, organisations must contact their relevant supervisory authority. Each EU member state has established a supervisory authority. The UK’s is the Information Commissioner’s Office (ICO).
If a business has multiple bases in the EU, it must appoint one supervisory authority as its “lead authority”. This will be decided by the location of its “main establishment”, i.e. the place where the majority of processing activities take place.
Breaches need to be reported within 72 hours of the victim organisation becoming aware of it. The GDPR recognises that it is typically not possible to fully investigate the breach within that time period, so it allows the victim organisation to provide the information “in phases”.
Should individuals need to be informed of a breach, it must be done “without undue delay”.
Prepare your organisation
All organisations based in or operating in the EU should be preparing for the GDPR. Organisations looking for resources or advice on implementing the change, should consider IT Governance’s GDPR Expertise Bundle.
It contains many of our GDPR resources in one package, including a pocket guide to the Regulation, an implementation and compliance guide, and an introduction to the legal and practical data protection risks involved in using Cloud services.