What is GDPR? Everything you need to know as countdown to new cyber security regulation begins

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Thursday marks a year until GDPR, or the General Data Protection Regulation, comes into effect. That means businesses have roughly 365 days to make the necessary changes to the way in which they operate and manage risk to ensure they abide by the new law.

If the recent WannaCry cyberattack hasn’t got business leaders to sit up and take notice, GDPR will force them to. If the cyber-criminals involved in the WannaCry attack had chosen leak data from their victims rather than encrypt it, the financial consequences under GDPR would have been extensive.

Ultimately, the arrival of GDPR will put the control of personal data back into the hands of the individual, allowing a number of rights including access to their data and the ability to withdraw it. It also means that organisations cannot simply gather data without good reason and must prove that they are doing all they can to protect the data they do hold.

The law applies to any company that is targeting consumers in the European Union and holding or transporting data relating to them, meaning it has the potential to impact companies globally.

GDPR also specifies that organisations have to appoint a specific data protection officer, who is distinct from a risk officer and all IT functions that currently exist. It’s a role that has to sit outside of IT and outside of the boardroom to have the independence to ensure the business adheres to the regulation.

It is vital businesses understand the importance and the responsibility tied to these new regulations.

For example, non-compliance penalties could lead to fines of up to €20m or 4 per cent of a company’s global annual turnover. It’s not a case of opting in or out, it’s a stark case of comply or face the consequences.

While GDPR dictates that organisations must implement appropriate governance and accountability in their processing and protecting of data, it is just as important that we adopt a “neighbourhood cyber-watch” approach and make threats and data security everyone’s concern, not just those with a governance or security role.

According to Cisco’s annual cybersecurity report, today’s average large enterprise can face as many as 70,000 security events per week. The WannaCry attack has shown how devastating malware can be, and how quickly an issue can spread to affect the entire world in a matter of hours.

These threats are more than individuals, businesses and governments can tackle alone. The success of the cybercriminals is in part down to the lack of awareness of attack methods and in parallel, how to secure systems. Nevertheless, a key takeaway from the recent attacks has to be that a large number of organisations weren’t affected and managed to rebuff the assault.

Developing a society that is resilient to cyberattacks implies a willingness by all parties to share knowledge and insight about the latest threats to help reduce cybercriminals success rates and minimise the impact on businesses overall. Keeping a watchful eye on threats and warning those around us of danger has served humanity well as a model of protection for millennia.

Ultimately, cybercriminals are an organisations’ biggest competitor and a country’s biggest threat. The threat environment and the legislative environment are changing.

The WannaCry cyber-attack should serve as a stark wake up call for everyone that cybercrime is real and the consequences can be grave. It is possible to be prepared and to repel attacks, nevertheless the financial consequences of a successful breach are soon to get a whole lot more severe.

We have 365 days and counting.

Terry Greer-King is a director of cybersecurity at multinational technology conglomerate Cisco.