Will the GDPR bring in an era of fines, or will it finally rein in data breaches?
Will the GDPR bring in an era of fines, or will it finally rein in data breaches?

With just over a year until the EU's General Data Protection Regulation which is set to revolutionise data protection practices around the world, and a record 421 billion records stolen in 2016, it's clear we need better data protection.

Ryan O'Leary, vice president at WhiteHat Security told SC Media UK: "Despite huge publicity around data breach incidents, hackers are continuing to exploit often well-known vulnerabilities in order to get hold of large databases of personal information. Web applications are now one of the key vectors targeted by hackers looking to steal data; roughly 40 percent of all data breaches occur at this level. These applications are really the front line for data protection, as they often gather and store sensitive customer data.”

O'Leary added: “Those in charge of securing websites and mobile applications need to be proactive and build with security in mind. It may take a bit more time or cost a bit more money, but it's a solid investment to prevent media embarrassment and loss of trust from users. The easiest, most dangerous vulnerabilities in the flagship application, or applications that contain private information, should be dealt with first, regardless of how difficult they are to fix. Finally, the remediation of any serious flaws must be done in a timely fashion.”

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.

“The unstoppable growth of both social media and the Internet of Things presents increasing privacy challenges for consumers,” says Mikko Hypponen, F-Secure's chief research officer. “Businesses that rely on collecting and monetising data are gaining ever-increasing access to users' lives – practices that must be understood.”

“I believe data is the new oil,” says Hypponen. “And just like oil brought us both prosperity and problems, data will bring us prosperity and problems.”

Hypponen has long warned about how free services target their customers using a shocking amount of specificity. “Twitter knows if you're expecting a new child in your family in the next six months,” he explains. “And as a Twitter advertiser, you can use this to target your ads accordingly. It's quite clear that this information isn't coming from your tweets or whom you are following on Twitter. It turns out this information is actually being bought by Twitter from large data warehousing companies. Twitter then connects this information to your account through your phone number.”

The good news is users are becoming more security conscious, according to an F-Secure survey. Owners of Mac or iOS devices were just as likely to say that their computer needs virus protection as those who use Windows or Android devices, a positive development because Apple users are more likely to make commercial transactions on their devices.

Simon Moffatt, senior product manager at ForgeRock agrees: "We are now well and truly in the "age of the consumer" and the consumer, as the true data owner, wants to see transparent, consent-driven privacy management and data sharing options, for every online service they interact with. Businesses need to be in a position to provide consumer-centric solutions, not only for the new EU data protection laws, but also as a competitive differentiator."

Emma Butler, data protection officer at Yoti said: “Data Privacy Day presents a great opportunity to promote best practice for both consumers and businesses when it comes to protecting personal data. YouGov recently reported that 87 percent of people are worried, to some extent, about the security of their personal data online. It's clear that the issue is on the radar of more individuals than ever before.”

Butler added: “This year, I'm especially keen to see the technology industry encourage an environment where transparency and engagement with consumers come first. With the explosion of digital technologies, organisations are sweeping up vast quantities of data about consumers' activities, often without them being fully aware. Gaining consumers' trust and confidence in the use of their data will increasingly become a vital source of competitive advantage for companies”.

This year's Data Privacy Day comes at a particularly intriguing time in terms of compliance. Not just as we see businesses start to adapt to the EU General Data Protection Regulation (GDPR), but also the introduction of new legislation – including draft ePrivacy data regulation in the EU and the UK Government's Investigatory Powers Act 2016.

There's no doubt this will cause more uncertainty for businesses over how they protect their data from prying government eyes. In fact, over the next year, businesses may look to contingency methods like cyber-insurance.

Lillian Pang, senior director of legal and data protection officer at Rackspace said: “Data Privacy Day is a reminder organisations are now halfway through the two year compliance period since the General Data Protection Regulation (GDPR) legislation was adopted by the EU Commission. At a time when we create more valuable data than ever, it is crucial that personal data is kept private and secure, by the businesses that store it, from both internal and external threats. For UK businesses however, 2017 will see two additional pieces of legislation in the mix – the draft ePrivacy Regulation and the UK Government's Investigatory Powers Act 2016 – which have the potential to increase compliance requirements even more and cause further concern and uncertainty. Additionally, some businesses will need to consider the impact of emerging technologies such as AI and machine learning on their obligations of data protection. While a business may achieve reasonable compliance with the GDPR, this should only be viewed as a benchmark for cyber security, and businesses should aim to continually raise the bar in order to stay abreast with the changing security landscape.”

Unfortunately, despite users being more aware, as Jean-Frederic Karcher, head of security at Maintel points out, “The cyber-crime epidemic will only get worse with a projected of cost to the global economy of £1.7 trillion by 2019. Cyber-crime does not discriminate; it affects businesses of all shapes and sizes.”

KPMG's Fraud Barometer report recorded a rise in online frauds, up 1266 percent on 2015 figures. This includes a £113 million cyber-fraud, the largest recorded in UK Courts since 2008. Overall, cyber-crime cost the UK £124 million.

The overall fraud figure has topped £1.137bn in 2016 compared to £732m the year before. Consequently, the average value of fraud has more than doubled to £5.2 million from £2.4 million. The figures include over £900 million derived from just seven super cases.

Karcher concluded: “Besides identifying risks and areas of exposure, a security audit will also get the ball rolling in terms of General Data Protection Regulation (GDPR) preparedness. The impending regulation has the ICO on hand to distribute major fines for non-compliance which means boards and senior management can no longer afford to ignore this security framework. In a GDPR world, there will simply be nowhere to hide for an organisation that suffers a breach.”