It seems like all anybody is talking about these days is GDPR. However, privacy and data protection is so much more than just GDPR.
First of all, an important distinction needs to be made – while GDPR compliance may save you from having to pay massive fines (EUR 20 million or 4% of your global turnover), GDPR compliance will not save you from a cyber-attack.
When you look at any cyber breach event, there are several tenets that need to be focused on. The first is the pre-breach regime – this obviously includes ensuring compliance with GDPR and any other relevant regulatory regimes, however, it should also include application of industry best practices such as ensuring that all firewalls and anti-virus software are up to date.
However, as hackers get smarter and as we continue to advance technologically at an insane pace, it is inevitable that almost no degree of preparation can fully protect you from an attack. That is why the second tenet, post-breach preparation, is perhaps even more important than the first.
The GDPR craze has left everyone trying to tick off all the boxes in terms of regulatory compliance, while little attention is given to addressing: what happens if you actually get attacked.
Well, if you are so unfortunate as to experience an attack, there are two things that you are going to ask yourself: First: did I do all I had to do in terms of compliance so as not to be susceptible to regulatory fines; and second: what can I do now in order to keep my customers and suppliers feeling happy and secure, to ensure minimum damage to my IT systems and to get my organization back up and running as soon as possible; because, while GDPR may put you in a better position to withstand regulatory scrutiny and possible civil claim, it is certainly not fool-proof and the damage of a cyber breach does not amount solely to regulatory fines.
If 2017 has taught us anything, it’s that when it comes to data breaches – no one is safe. More than 50% of U.S. businesses experienced a cyber-attack in 2017 and nearly 2 billion records were lost or stolen. That’s why we strongly encourage that you conduct yourself with the certainty that, at some point, you will be attacked – and that you prepare yourself accordingly.
How can you prepare yourself for the inevitable? Here are a few simple steps to get you started: (1) Allocate a portion of your budget to IT and data security; (2) appoint a trusted individual to oversee privacy and security development and compliance as an express component of such individuals job responsibility; (3) have a first-response team and a breach response plan in place; (4) retain experienced legal counsel; (5) liaise with computer forensic and other risk-avoidance/crisis-management consultants; (6) work with your legal advisors and HR personnel to develop written cybersecurity policies and procedures; (7) develop templates and information security tools for use with employees, vendors and third-party business partners; (8) purchase dedicated cyber/privacy insurance; (9) prepare pre-crafted communication templates and drill your PR and communications team to prepare them for the day-of.
If you do all of the above, you are guaranteed to be in a better position than if you relied solely on GDPR compliance.