Cyber threats have risen up the agenda for businesses in the last couple of years, propelled by some of the high-profile incidents referenced in earlier chapters. The average cost of a data breach continues to rise, and this number is likely to grow even further as the cyber risk landscape becomes ever more complicated.
Governments around the world are updating and passing new laws to improve the security and resilience of electronic networks, systems and data. One key feature of these new laws is the potential for an increase in penalties and sanctions levied at businesses that fail to adhere to their requirements.
In Europe the European General Data Protection Regulation (GDPR) seeks to protect citizen’s privacy and data security and will significantly increase the burden on businesses holding electronic data.
Key aspects include:
- The extension of jurisdictional reach to include any business that offers goods and services to EU citizens, regardless of where it is located.
- A requirement for businesses to recognise customers’ data rights, including the ‘right to be forgotten’, the right to have their data transferred to other businesses, and right to object to profiling activities.
- A stipulation that, in certain circumstances, security breaches must be reported to a relevant regulator within 72 hours and to affected citizens without ‘undue delay’.
- The ability to impose fines of up to 4% of annual worldwide turnover (or €20 million, whichever is higher). Individuals may also claim compensation from organisations for not only financial loss, but also any non-material damage (i.e. distress) that is suffered.
The GDPR will come into effect across European Member States on 25 May 2018. It aims to bring European data protection laws up to date with the modern technological possibilities of the ‘Big Data’ age, harmonise the varied data protection laws across Europe and even bring companies situated outside the EU within the scope of European law in certain circumstances.