In London’s Piccadilly Circus, an advertising screen the size of two basketball courts detects the ages, genders and moods of passers-by and responds by displaying targeted ads. The process uses facial-recognition cameras hidden behind the Piccadilly Lights billboards to pick out faces in the crowd and assess which adverts might be of interest.
Data breaches are potentially fatal occurrences for businesses – especially for those that provide products or services that require the storage of personal data.
With the looming implementation of the General Data Protection Regulation (GDPR) in May, data breaches are about to become a whole lot scarier for organisations.
So, what exactly is a data breach?
A data breach is the release of confidential information to an unauthorised or untrusted person or environment.
You may remember that in 2017 it was reported that Yahoo suffered a data breach that compromised 3 billion accounts – every yahoo user was affected by the data leak that was eventually attributed to Russian hackers.
While you may be thinking that all data breaches are done by someone sitting in a dark room with an anonymous IP address, you’d be wrong. Hacking has become an industry with dedicated businesses who have goals to reach and quotas to fulfil. And not every data protection breach is done exclusively behind the screen of a computer. Jamie Woodruff, one of the world’s most famous ‘ethical hackers’, spoke to Eureka about his favourite hack which involved him dressing as a pizza delivery boy to gain physical access to the target business.
Uber is another company has recently been in the spotlight for all the wrong reasons regarding data leaks. In late 2016, the company realised that they had suffered a data protection breach that left 57 million Uber users and drivers vulnerable. And, instead of quickly informing their affected customers and workers of the breach, they instead chose to pay $100,000 to the hackers to keep things quiet.
These sorts of occurrences are exactly what the EU’s GDPR law seeks to wipe out.
Organisations that suffer a data breach due to GDPR non-compliance will be fined 2% of their global annual turnover or €20 million (whichever is greater) – one would hope this isenough to scare any organisation into protecting the data of its customers.
One of the requirements of the GDPR is that organisations immediately inform data subjects of any instance of data breach. This could mean the difference between an organisation suffering or avoiding the huge penalties – provided that the data leak was not due to non-compliance. If a GDPR-compliant organisation suffers a data breach and immediately (within 72 hours) informs the affected data subjects and authorities – and is also able to demonstrate their compliance with the law – the organisation may not suffer the hefty consequences. Organisations will also be required to describe the consequences of the breach.
Protecting against data breaches is no simple task. But there are key actions that should be taken that will provide a basis for a good data protection policy. Encryption measures are always a good place to start, but organisations should also carry out regular tests and audits to ensure that all measures are working properly. The Data Protection Officer (DPO) should constantly review the systems in place and keep record of such systems to communicate them to the relevant regulatory bodies.