The General Data Protection Regulation (GDPR) is to be reviewed in 2018; the purpose of the regulation is to provide, strengthen and unify data protection for individuals within the European Union.
According to the EU Council, the primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Whilst streamlining the regulatory systems of the cyber world is a good step in the right direction, enabling a unified approach in cyber security, companies have objected to a number of the requirements. For example, the requirement for a data protection officer and possible conflict with other non-European laws and regulations and practices (e.g. surveillance by governments).
The threat of a heavy fine amounting to some 4% of annual sales will make even the most blinkered board member or partner wake up. However the new regulations however, seem to be too limited in their scope.
Companies must do more than simply comply with regulations, be awarded a badge stating they have done everything according to regulation and assume that is the end of their responsibilities. A company can be as diligent and as state of the art as possible but all of these measures are meaningless if the human element is not educated and aware of the risks.
Regardless, of the cyber security measures, all can be avoided or subverted by the 1 out of a 100 employees who opens an email with attached malware, or a phishing email catered to exploit them to gain access to the company systems. There is no one cure all solution for cyber security, for no system can be protected from a determined human adversary. A wellfunded and patient team of cyber-criminals will eventually find a weakness in a system and exploit it.
Ultimately, the weakest link of a system is the human link, and the only way to remove the element of human weakness is education. Slack controls and a lack of any clear Social Media policy provides intelligence and information to the criminal. The lack of any cohesive BYOD policies is also damaging. There is a need to implement regular educational programmes, stress tests (black hat in nature) and phishing audits, which will go some way to mitigating the risks.
Companies will need to utilise a series of measures in tandem to provide a complete coverage. Unfortunately, just by following one regulation, a company will not be providing adequate security. To remain stationary is to fail. However, a uniform approach to cyber security should assist in creating an environment where it is easier to protect customers and prosecute criminals.
The GDPR: a necessary step or not far enough?
