How Can Europe Do Better? GDPR and Data Protection Best Practice

Tim Bandos, CISO at Digital Guardian shares his tips for maintaining GDPR and data protection best practice, and how businesses can learn from the mistakes made by other corporations.

Regulators have issued £245mn (€272.5/$332m) in fines since the European Union’s General Data Protection Regulation (GDPR) first came into force in May 2018. According to a new report by the global law firm DLA Piper, a total of 281,000 data breach notifications stemming from GDPR have been issued since the legislation’s inception, with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of breaches notified to regulators. In total, the report records a worrying double-digit growth for breach notifications for the second year running – up 19% in 2020.

The UK regulator gets serious about enforcement


Many of the larger GDPR fines of late stem from organisations not having the appropriate security measures in place. Assessing the performance of European regulators concerning enforcement actions, the UK’s Information Commissioner’s Office (ICO) has adopted a steadfast stance regarding its willingness to use its powers with GDPR infringements.

Two of the most highly publicised cases include the ICO’s notice of intent to fine British Airways (BA) £183.39mn for breaches of data protection law. In the light of the global pandemic, the penalty finally imposed by the ICO on BA for failing to protect the personal and financial details of more than 400,000 of its customers was adjusted to £20mn in October 2020. Similarly, the ICO’s intention to fine Marriott Hotels more than £99mn for exposing over 339mn guest records was also reduced to £18.4mn.

What went wrong – learning from others


The DLA Piper report highlights how omitting to undertake a number of key measures potentially puts firms at risk of breaching Article 32 and the related Article 5(1)(f) of GDPR. These include:

  • Not monitoring privileged user accounts
  • Not monitoring access to and use of databases storing personal data
  • Not implementing server hardening techniques to prevent access to administrator accounts
  • Not encrypting personal data, especially more sensitive personal data
  • Not storing passwords in plain-text unencrypted files (known as hardcoding)
  • Failure to use multi-factor authentication to prevent unauthorised access to internet-facing applications
  • Not logging failed access attempts
  • Not applying strong access controls for applications on a needs basis, with prompt removal of access when no longer required
  • Not undertaking regular penetration testing
  • Not managing payments in a PCI DSS compliant way.

When British Airways’ systems were compromised, hackers got hold of login details, payment card information and personally sensitive data like passenger names and addresses. According to the ICO, this attack was preventable, but British Airways did not have sufficient security measures in place to protect its systems. For example, at the time of the breach it had not even implemented the basics like multi-factor authentication.

In the case of Marriott Hotels, the hack first originated in Starwood Group’s reservation system which Marriott acquired in 2016. Yet it took two years before the hack was discovered by Marriott, following a chance assessment of an unusual database query made by an administrator whose account had been taken control of by an external attacker.

The ICO found that, in addition to failing to perform adequate due diligence after acquiring Starwood, Marriott should have done more to protect its systems with a stronger data loss prevention (DLP) strategy. Worryingly, a key security failure on the part of Marriott was unveiled when it became clear that while it stored customer credit card numbers in an encrypted form, the encryption keys were stored on the same server. Similarly, most guest passport numbers were never encrypted before being stored.

Remote working opens up new avenues of attack


The global pandemic has forced many organisations to transition to work-from-home models that have compounded the need to protect sensitive data throughout its lifecycle across an extended enterprise that now features multiple networks, endpoints, and clouds.

Initiating measures like BYOD policies, monitoring data usage and transfers, and introducing multi-factor authentication, and email and storage encryption is just the start. Installing endpoint agents that can perform data protection and malware protection will also deliver greater assurance that endpoints are appropriately secured.

To add to this growing concern, the actions of remote employees also represent a growing risk. According to the industry analyst firm Forrester, insider data breaches are set to increase by 8% in 2021, with a third of all breaches being caused internally. This significant growth in insider incidents is triggered by employee fears around job loss, paired with the relative ease with which data can be moved (via the cloud, network-attached storage, e-mail or USB).

To protect themselves, organisations will need to pursue a robust operations security (OPSEC) strategy that enables them to dive deeply into their operations and identify where information can be most easily breached to implement the appropriate countermeasures to protect sensitive data.

What’s next for GDPR after Brexit?


There has been a lot of discussion around what will happen once the Brexit transition period ends. The ICO is clear that the Data Protection Act 2018 (DPA 2018) will continue to apply and that GDPR has been incorporated into UK protection law as the UK GDPR. So in practice, there will be little change to the core data protection principles, rights and obligations found in the UK GDPR going forward.

For organisations that operate in Europe, EU GDPR will still apply. Similarly, the EU GDPR will apply to any European organisation sending data to UK companies. In recent weeks, the European Commission has confirmed a draft decision to allow data to continue to flow from the EU into the UK, and plans to reassess these arrangements every four years to check that UK rules do not compromise the privacy of EU citizens.

READ MORE: 

Looking ahead

With hybrid working and more collaborative working models set to become a long term and permanent feature of the workforce strategy, the consequences of poor cybersecurity hygiene mean many more organisations may find themselves at risk without an appropriate data loss prevention (DLP) and managed detection and response (MDR) strategy in place.

With the UK committed to maintaining equivalence with EU GDPR, organisations will need to continue to ensure that all data processing activities remain safe and deploy data protection best practices. They will also need to address the growing risk of insider threat and evaluate their policies around privileged user access to resources like customer databases.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Tim Bandos

Tim Bandos, CISSP, CISA, CEH is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organisation and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...