Interesting article in The Times featuring the recent DLA Piper survey on data breaches and associated fines. This clearly shows the impact that the GDPR is having in driving both the quantity of incidents being reported and the level of financial penalties being employed.
I cannot agree more with the quote from Ross McKean at DLA Piper in that: “We are still in the early days of enforcement [and] We expect to see momentum build.” This is an issue that is becoming increasingly at the forefront of senior management's minds, regardless of industry or maturity of the firm.
Equally we are seeing this becoming a more and more important feature in transactions where both buyers and sellers are increasingly focusing on cyber risk during due diligence exercises as well as post-deal activities. Key to these concerns is a focus not just on the technical measures but more importantly on the human controls and how risk is identified, managed and mitigated within an organisation. Any investments in cyber security need to be fully assessed based on how they help management mitigate business risk in a cyber context rather than a simple technology purchasing decision.
Cyber and data risk is not an issue that is suddenly going to be "solved" therefore companies need to get comfortable with the level of risk they face and how best to mitigate those risks.
Fines totalling almost £100 million have been levied across Europe under new data protection rules that came into force in May 2018. A survey by DLA Piper, the law firm, found that more than 160,000 breaches of the rules have been recorded across the 28 European Union member states plus Norway, Iceland and Liechtenstein, resulting in fines of €114 million. France topped the rankings for the total value of fines imposed under the general data protection regulation, at just over €51 million, followed by Germany, with €24.5 million, and Austria, with €18 million. Measured by the number of data breaches, the Netherlands was the biggest offender, with 40,647 instances notified to regulators, followed by Germany, with 37,636. Third worst was Britain, with 22,181 notifications.
