GDPR compliance is not cybersecurity, says analyst

Fines levied under the EU’s General Data Protection Regulation (GDPR) laws are forcing businesses to rethink their cybersecurity strategies. But experts are voicing fears that, while this compliance might look good on paper, it doesn’t add up to better protection in real life and may end up costing them more as a result.

The UK may have exited the EU in dramatic fashion, but that doesn’t mean that it’s exempt from European legislation. Any concern doing business with a member state is still obliged to comply with the GDPR.

Indeed, global fines, including those levied under the EU law, constitute 6% of the £13.5 billion lost by British businesses from the “most notable data breaches” reported to the Information Commissioner’s Office (ICO) between 2019 and 2022, says research by cybersecurity firm Imperva.

But the latter fears that fear itself may be the problem. Anxious to avoid being slapped with fines, UK organizations are engaging in a “tick-box” exercises that may render them duly compliant on paper while still leaving them vulnerable to cyberattacks in the real world.

“It’s undeniable that regulators are taking a stronger line on data breaches. ICO penalties have increased almost tenfold since GDPR fines came into effect,” said Terry Ray, senior vice president of Imperva. “However, there is still a risk organisations are prioritizing measures that demonstrate compliance on paper over those that provide genuine data security.”

Other ICO data scrutinized by Imperva would appear to bear out his point. Over the same period as the global fines were levied, there were a staggering 200 million instances in the UK where a data breach compromised an individual’s personal information – that’s essentially triple the country’s population.

It isn’t clear from Imperva’s report whether this means that people from outside the UK whose details were held by a target organization were compromised too, or if some British residents and citizens were impacted more than once. Either way, the figures add up to a big cybersecurity headache.

Fines the least concern

The GDPR was first enforced in 2018, when the UK was still technically a member of the EU, during the transition period following the Brexit vote in 2016. And since it officially exited, the GDPR has in any case been transposed into UK law.

Since April 2020, when the ICO began issuing fines under GDPR rules, it has fined organisations £44.2 million for personal data breaches due to cybersecurity failures – an average of £14.7 million a year. By comparison, in the 12 months before the GDPR rules came into effect, the ICO levied £1.5 million in penalties for such breaches.

But in Ray’s view, avoidance of fines at the expense of genuine cybersecurity is short-sighted, because the losses resulting from a data breach can far outstrip any financial penalties incurred from displeasing regulators.

“In many cases, initiatives that meet the letter of compliance will not in fact prevent organisations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines,” he said. “At present, it would take the ICO 28 years to fine organisations the equivalent of just one of the ‘most notable’ data breaches.”

Businesses caught nodding

Imperva analysed just under 100,000 incident reports submitted to the ICO during the study period. It further believes that nearly a third of them “could have been avoided by having better data management and security.”

As an example, it cites the slowness to respond to a data breach among UK target firms, with 40% of attacks not being reported for at least three days and 18% going unreported for more than a week.

“This is a key issue, as the longer a breach goes undetected the more time attackers have to cause damage, and the more likely regulators and others are to impose harsh sanctions,” said Imperva.

“The vast majority of organisations are not set up to execute a successful data security strategy,” said Ray. “Too many are just carrying out tick-box exercises while data breaches rise by around 34% annually. Often, it’s because businesses simply don’t know if the data security investments they’re making are having any impact.”

It’s all the more worrying given that, in the UK at least, cybercriminals are tending to hit sectors that ultimately hurt the public most: education and healthcare topped the list of those most badly affected, and between them they made up more than a third of total data breaches.

“Without clear metrics that can indicate whether organisations are moving in the right direction, and that they’re more secure today than they were yesterday, we’re going to continue seeing the number and cost of breaches rise,” said Ray.