The General Data Protection Regulation (GDPR) sets out legislation that governs how data related to people in the EU and UK should be collected and processed. In the UK, the GDPR forms part of the Data Protection Act 2018.
One of the areas of focus for the GDPR is data breaches, which fall under the wider topic of data management. Under the GDPR, organisations that control and process data are accountable for that data and must take steps to manage and secure it.
When this data is compromised, a breach of GDPR occurs. With potential fines of up-to €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater – for infringements, data breaches can have serious consequences for you and your organisation.
In this blog, we'll share with you what a constitutes a GDPR breach, the most common cause of breaches and what your organisation can do to avoid them.
In the GDPR text, a data breach is defined as a breach of security leading to the accidental, unlawful or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, personal data related to individuals living in the EU.
Based on this, data breaches can fall into three categories:
The GDPR covers two types of data: ‘personal data’, such as name and surname, home address, email address, location data; and ‘sensitive personal data’: such as biometric data, healthcare records, union memberships and religious beliefs.
Data breaches come in various forms and sizes, ranging from breaches caused by hacking, malware and ransomware, to breaches facilitated by password guessing, phishing and Distributed Denial of Service (DDoS) attacks.
Other causes of data breaches include portable device loss, unintended disclosure, insider leaks and physical data loss (such as from a fire).
Not all incidents are the result of a cyberattack, however, many are. Here’s a breakdown of some of the most common breach types:
Most large-scale data breaches are caused by hackers. A variety of techniques are used by these criminals, including SQL injection, Malware and DDoS attacks. Hacking is premeditated in most cases to compromise a specific data set.
Ransomware is a malicious program that demands payment while holding a computer for ransom. The program then threatens to destroy all data on the computer if the ransom isn’t paid, which would count as an availability breach.
Employee negligence could be something as simple as emailing a spreadsheet containing personal data to the wrong person, or as sinister as emailing data to a criminal pretending to be the company CEO, which is exactly what happened with Snapchat in 2016.
Unauthorised access can be facilitated by weak passwords, one-step authentication and leaving devices logged in. Privileged users with access to sensitive information present the biggest risk to organisations.
Portable device loss poses a significant data management risk and especially when devices are not encrypted and cannot be remotely wiped. This happened in 2007 when a disc containing the personal details of 25m British families got lost in the post.
Unintended disclosure is when employees with access to sensitive information unintentionally or by mistake reveal confidential information. This is a leading cause of major data breaches under the GDPR.
With the potential for serious fines, it's vital that GDPR training is deployed to your employees, so that they understand their role in your organisation’s data protection policy.
Your existing training may be insufficient to cover the GDPR and implement necessary behavioural changes. Your employees will need the training to put into practice your privacy and security policies.
Nothing poses a bigger risk to your organisation than data breaches. Making cybersecurity a top priority will ensure your organisation takes all necessary steps to establish protocols like assigning a data protection officer (DPO) and carrying out Data Protection Impact Assessments (DPIAs).
Cybersecurity threats are evolving at a rapid rate. Industry trends come and go. Compliance requirements change over time. You need to be aware of the latest developments in cybersecurity and GDPR law so that you can be prepared for the latest threats, continue to comply with the GDPR and run a sound operation.
Bob’s Business offers NCSC certified cybersecurity courses that are designed to change company culture. We can put your organisation on a path to GDPR compliance. Request a free web demonstration to see how Bob’s Business can help keep your organisation secure, or click here to view our success stories.