It seems like all anybody is talking about these days is GDPR. And with May 2018 fast approaching, there is good reason for that. However, privacy and data protection is so much more than just GDPR.
First of all, an important distinction needs to be made—while GDPR compliance may save you from having to pay massive fines (EUR 20 million or 4% of your global turnover), it will not save you from a cyber-attack.
When you look at any cyber-breach event, there are several tenets that must be focused on. The first is the pre-breach regime. While this obviously includes ensuring compliance with GDPR and any other relevant regulatory regimes, it should also include application of industry best practices, such as ensuring that all firewalls and anti-virus software are up to date.
However, as hackers get smarter, and as we continue to advance technologically at an insane pace, it is inevitable that almost no degree of preparation can fully protect you from an attack. That is why the second tenet, post-breach preparation, is perhaps even more important than the first.
The GDPR craze has left everyone trying to tick off all the boxes in terms of regulatory compliance. But little attention is given to addressing what happens if you do actually get attacked.
Well, if you are so unfortunate as to experience an attack, there are two things you are going to ask yourself: First, did I do all I had to do in terms of compliance so as not to be susceptible to regulatory fines? And second, what can I do now to keep my customers and suppliers feeling happy and secure, to ensure minimum damage to my IT systems, and to get my organization back up and running as soon as possible? Note that while GDPR may put you in a better position to withstand regulatory scrutiny and possible civil claims, it is certainly not foolproof and the damage of a cyber breach does not amount solely to regulatory fines.
If 2017 has taught us anything, it’s that when it comes to data breaches no one is safe. More than 50% of U.S. businesses experienced a cyber-attack in 2017 and nearly two billion records were lost or stolen. That’s why we strongly encourage you to conduct yourself with the certainty that, at some point, you will be attacked—and to prepare yourself accordingly.
So how can you prepare yourself for the inevitable? Here are a few simple steps to get you started: (1) allocate a portion of your budget to IT and data security; (2) appoint a trusted individual to oversee privacy and security development and compliance as an express component of such individual’s job responsibility; (3) have a first-response team and a breach-response plan in place; (4) retain experienced legal counsel; (5) liaise with computer forensic and other risk-avoidance/crisis-management consultants; (6) work with your legal advisors and HR personnel to develop written cybersecurity policies and procedures; (7) develop templates and information security tools for use with employees, vendors, and third-party business partners; (8) purchase dedicated cyber/privacy insurance; and (9) prepare pre-crafted communication templates and drill your PR and communications team to prepare them for the day of.
If you do all of the above, you are guaranteed to be in a better position than if you relied solely on GDPR compliance.