Last week it was announced that after a GDPR fine of £183 million earlier this year, half a million British Airways customers were told they could sue the airline over a 2018 data breach which saw their bank details and addresses stolen by hackers.
Whilst this certainly isn’t the first large firm to be hit by substantial fines, a worrying level of UK businesses do not yet appear to be fully GDPR-compliant, with many unclear about their state of compliance, even a year and a half after the regulations came in to effect.
Complying with GDPR is challenging for business, as it is not an auditable standard where you can demonstrate controls and be confident that you have been declared compliant.
Instead, whilst GDPR requires a business to adopt certain processes until it can be demonstrated that this is succeeding it is difficult to declare you are compliant. For example, many companies are struggling with the 72-hour reporting timescale for a breach. The challenge isn’t so much the timescale but is around how much information needs to be included in the report to the relevant data protection authority. The requirement is to explain how the breach happened, how many records were lost, what is the impact of the loss, a forensic analysis of the breach and what mitigation plan has been put in place for the future. This amount of data is extremely difficult to pull together in just 72 hours and many firms are only achieving this via 3rd party experts who are called in to remediate a breach. This also contrasts sharply with the 101 days that Mandiant report being the average time to discover a breach.