{"id":12279,"date":"2021-04-28T05:29:25","date_gmt":"2021-04-28T05:29:25","guid":{"rendered":"https:\/\/portal.crigroup.com\/crigroup_new\/?p=12279"},"modified":"2024-01-26T10:58:51","modified_gmt":"2024-01-26T10:58:51","slug":"cybersecurity-gdpr-compliance","status":"publish","type":"post","link":"https:\/\/crigroup.com\/ar\/cybersecurity-gdpr-compliance\/","title":{"rendered":"Cyber Security: How to Maintain GDPR Compliance?"},"content":{"rendered":"

The European Union\u2019s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection.\u00a0While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to \u20ac20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater<\/a>.<\/p>\n

Cybersecurity is a Priority for the Management<\/strong><\/h2>\n

Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE\u2019s \u201cFraud in the Wake of COVID-19: Benchmarking Report<\/a>\u201d: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier we wrote how the COVID-19 crisis triggered fraudulent activities<\/a> and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk<\/a> continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).<\/p>\n

The study suggests that the risk level is potentially higher than ever under COVID-19 and that businesses are finding it harder to administer cybersecurity measures during the pandemic<\/a>: 35% of businesses compared to 40% last year are now deploying security monitoring tools. This reduction suggests that these organisations might simply be less aware than before of the breaches and attacks their staff are facing.<\/p>\n

However, among those that have identified breaches or attacks, around 27% of businesses experience them at least once a week. The most common by far are phishing attacks (83%, and 79% in charities), followed by impersonation (for 27% and 23%). Based on a survey by the gov.uk<\/a>, despite COVID-19 stretching many organisation\u2019s cybersecurity teams to their limits, cybersecurity remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic. Three-quarters (77%) of businesses say cybersecurity is a high priority for their directors or senior managers, while seven in ten charities (68%) say this of their trustees.<\/p>\n

The Most Notable Data Breaches <\/strong><\/h2>\n

In the climate where organisations are putting more emphasis on strengthening their online security systems, there is no shortage of data breaches or GDPR violations. Our experts have noticed and shortlisted a few most notable cases in any order for you to be aware:<\/p>\n

1. Booking.com<\/h3>\n

The very recent case, when travel booking website Booking.com has been hit with a\u00a0 \u20ac475,000 ($560,000) fine after failing to report a data breach within the time period mandated by the GDPR.<\/a> It happened back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). The hackers were able to get login creations for the booking system and to access the personal details of more than 4000 customers who booked hotel rooms via booking.com. The scammers exposed the credit card details of 283 customers, and in 97 cases the CVV code was also compromised.\u00a0Based on GDPR, the data breach must be reported within 72 hours. Booking.com was late for 22 days (!) to report the breach to the Dutch Data Protection Authority and was issued a fine in April 2021, as reported by Forbes<\/a>.<\/p>\n

2. Twitter<\/strong><\/h3>\n

Another company that was late to report the security flaw is Twitter \u2013 it was discovered in December 2018 but the social media giant did not report it to Ireland\u2019s Data Protection Commission (DPC) until the following month.<\/a> As a result, Twitter has been told to pay a \u20ac450,000 GDPR fine by Ireland\u2019s data regulator for failing to report a 2018 data breach in the legally required timeframe.\u00a0The DPC also determined that Twitter failed to adequately document the breach, another requirement under GDPR.<\/p>\n

3. Vodafone<\/strong><\/h3>\n

The firm that has been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020, is in the news again: <\/a>the Spanish data protection authority has fined Vodafone \u20ac8.15 million (approximately \u00a37 million) for aggressive telemarketing tactics and repeated data protection failures.\u00a0The fine was issued as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third parties without user consent.<\/p>\n

4. Facebook<\/strong><\/h3>\n

And another social media giant \u2013 Facebook. Ireland’s data protection watchdog is demanding answers from Facebook over the release of records on 533 million people that appeared to stem from the social media site.<\/a> As reported in April 2021, a spokesman for the Data Protection Commission (DPC) – which regulates Facebook in the European Union – said “a dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals.”<\/p>\n

5. H&M<\/h3>\n

The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M \u20ac35,258,707.95 \u2014 the second-largest GDPR fine ever imposed. H&M\u2019s GDPR violations involved the internal monitoring of employees. After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers.<\/a> It has violated the GDPR\u2019s principle of data minimisation \u2014 don\u2019t process personal information, particularly sensitive data about people\u2019s health and beliefs, unless you need to for a specific purpose.<\/p>\n

6. Google<\/h3>\n

The biggest penalty (\u20ac50 million) was issued to Google for its alleged failure to provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and obtain users\u2019 valid consent to process their personal data for ad personalisation purposes.\u00a0<\/a><\/p>\n

COMPLIANCE & ETHICS HOTLINES,\u00a0REPORT NOW<\/strong><\/a><\/p>\n

How to Maintain GDPR Compliance<\/strong><\/h2>\n

What can we learn from these case studies? Maintaining GDPR compliance is a complex process, and requires a lot of diligent work. At CRI Group, we recommend looking at it as a part of your risk management strategies, together with your compliance policies and procedures.<\/p>\n

To help you with maintaining compliance with GDPR, our\u00a0integrity due diligence<\/a>\u00a0experts created the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:<\/p>\n

1. Employ a Data Protection Officer (DPO)<\/strong><\/h3>\n

It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have \u201cexpert knowledge of data protection law and practices\u201d (Digital Guardian, 2019<\/a>). Implement thorough background screening processes<\/a> and make sure they are trained and qualified to be your DPO.<\/p>\n

2. Train Your Employees<\/strong><\/h3>\n

Ensure that all personnel are aware of the GDPR and your organisation\u2019s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.<\/p>\n

3. Confirm the Legality of Your Data Collection<\/strong><\/h3>\n

GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:<\/p>\n