That is the day that the EU General Data Protection Regulation (GDPR) will come into force. It is a great idea for private individuals. At long last, they will start to have serious protection for their own private data. Any personally identifiable information (PII) of any EU resident, held by any organisation within the boundaries of the EU, now extended to anywhere on earth, must comply with this legislation. In practice, this means that the information must be held securely within the electronic systems of all organisations, which for privacy reasons, means it will need to be stored in an encrypted format.
However, for any organisation that is not prepared for this event – it will not be so good. Any organisation which suffers a cyber breach must report to the regulator to advise which records were read, which were modified, which were deleted and which were exfiltrated from the system to an outside party. The original idea was to insist reporting was completed “within 72 hours of a breach occuring”, but objectors argued it would be unreasonable to expect companies to be able to comply with such a tight deadline. Thus this requirement was changed to “within 72 hours of discovery of a breach”. While the former option had the attention of managers, the watered down version means they are much less concerned now. Of course, this also presents a moral hazard to managers – how quickly will they ‘discover’ a breach, especially around critical times of the financial year?
However, the potentially huge fines will certainly grab management's attention. Fines can be up to the greater of €20,000,000 or 4% of Global Turnover based on the previous year’s accounts. In order to mitigate against such punitive fines, organisations will need to ensure systems are properly set up to minimise the impact of a breach on PII held within organisation’s systems. This will require meaningful security systems which are properly monitored. Private data should be encrypted along with robust security and monitoring. While encryption is not mandatory, where encryption is properly used, it is likely to have a huge mitigary impact on any potential fine. Organisations who do not use encryption are likely to suffer considerably higher levels of fine in the event of a cyber breach.
Will it matter what kind of computer system the business uses?
The short answer is yes. If the business uses cloud computing, there is little known additional risk to which all such businesses are exposed. It is such a serious issue that it may prevent the business from being able to comply with the new regulation. It is known as the ‘cloud forensic problem’ and arises when an attacker gains access to a cloud system. Once the attacker gains a foothold in the cloud system and becomes an intruder, their first target will be to escalate privileges until they are able to modify or eliminate the cloud forensic trail to disguise all evidence of their intrusion. There is currently no mechanism by which this can be prevented. Clearly, from a compliance perspective, this will matter. And of course, the potential fine is likely to increase significantly as a consequence.
You can read Dr Duncan's paper in full here: http://www.thinkmind.org/index.php?view=article&articleid=cloud_computing_2018_1_10_28010
Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series.