Overnight, the consequences of a cyber breach and the risk associated with the loss of sensitive data will become far more wide reaching. Vincent Vandendael, Chief Commercial Officer at Lloyd’s, sets out key tips that businesses should consider to protect themselves ahead of the GDPR’s introduction. 

1. Invest in cyber security

Companies that can demonstrate they have taken steps to protect themselves from attack will be looked on more favourably by regulating authorities. A recent survey by Lloyd’s showed that 92% of European respondents said that their company had suffered a data breach over the past five years, proving that it is a matter of when and not if a business becomes a victim of a cyber-breach or attack. Making sure businesses have appropriate procedures in place and the right tools at your disposal to reduce this risk is a worthwhile investment and a small price to pay.

2. Take up cyber insurance

Companies need to ensure they are best prepared to mitigate the risks arising from a cyber attack. Taking out insurance should now be seen as that first critical step. The benefits mean your balance sheet can be protected by not just having a financial pay-out after things have gone wrong, but also having expert consultancy available to improve security and on-the-ground support during the period of crisis. By working with cyber security experts and insurers, businesses can better understand the risks they face and help mitigate them in order to protect their reputation.

3. Report breaches responsibly

As part of the new regulations, businesses will have a duty to report data breaches within 72 hours and failure to do so could result in a fine, as well as a fine for the breach itself. Organisations that fail to comply with the GDPR or experience a data breach could face fines of up to €20m (or 4% of its annual global turnover) in the most serious cases. Cyber-security experts NCC Group have estimated that fines from the Information Commissioner's Office (ICO) against UK companies last year would have been £69m rather than just £880,500 if the GDPR had been in force. In some cases, businesses will also be obliged to contact individuals whose data has been obtained because of a breach. Having sufficient procedures in place to effectively detect, report and investigate a personal data breach is paramount.

4. Understand the risks

Do not just leave it to the IT team. Everyone in the business should be aware of the changes and the C-suite must lead from the front in demonstrating how seriously these issues must be taken. You need to understand the risks that breaches present, how to avoid them and what to do when it happens. Ensure that everyone is briefed and understands how this affects their role moving forward. Pleading ignorance will not spare you a fine.

5. Regularly review procedures

Once you have everything in place ahead of the introduction of GDPR, do not be complacent. Some 15 years ago technology played a marginal role in our lives. Today it is part of everything we do and the risks and threats that exist are evolving just as fast as the technological solutions we rely upon to prevent cyber incidents. To ensure you are prepared, introduce regular audits to ascertain whether the procedures in place are working and what improvements could be made so you remain compliant and mitigate risks.

Find out more about cyber insurance at Lloyd's