What will happen on 25th May 2018?
2018-03-20

That is the day that the EU General Data Protection Regulation (GDPR) will come into force. It is a great idea for private individuals. At long last, they will start to have serious protection for their own private data. Any personally identifiable information (PII) of any EU resident, held by any organisation within the boundaries of the EU, now extended to anywhere on earth, must comply with this legislation. In practice, this means that the information must be held securely within the electronic systems of all organisations, which for privacy reasons, means it will need to be stored in an encrypted format. 

However, for any organisation that is not prepared for this event – it will not be so good. Any organisation which suffers a cyber breach must report to the regulator to advise which records were read, which were modified, which were deleted and which were exfiltrated from the system to an outside party. The original idea was to insist reporting was completed “within 72 hours of a breach occuring”, but objectors argued it would be unreasonable to expect companies to be able to comply with such a tight deadline. Thus this requirement was changed to “within 72 hours of discovery of a breach”. While the former option had the attention of managers, the watered down version means they are much less concerned now. Of course, this also presents a moral hazard to managers – how quickly will they ‘discover’ a breach, especially around critical times of the financial year?

However, the potentially huge fines will certainly grab management's attention. Fines can be up to the greater of €20,000,000 or 4% of Global Turnover based on the previous year’s accounts. In order to mitigate against such punitive fines, organisations will need to ensure systems are properly set up to minimise the impact of a breach on PII held within organisation’s systems. This will require meaningful security systems which are properly monitored. Private data should be encrypted along with robust security and monitoring. While encryption is not mandatory, where encryption is properly used, it is likely to have a huge mitigary impact on any potential fine. Organisations who do not use encryption are likely to suffer considerably higher levels of fine in the event of a cyber breach.

Will it matter what kind of computer system the business uses?

The short answer is yes. If the business uses cloud computing, there is little known additional risk to which all such businesses are exposed. It is such a serious issue that it may prevent the business from being able to comply with the new regulation. It is known as the ‘cloud forensic problem’ and arises when an attacker gains access to a cloud system. Once the attacker gains a foothold in the cloud system and becomes an intruder, their first target will be to escalate privileges until they are able to modify or eliminate the cloud forensic trail to disguise all evidence of their intrusion. There is currently no mechanism by which this can be prevented. Clearly, from a compliance perspective, this will matter. And of course, the potential fine is likely to increase significantly as a consequence.

You can read Dr Duncan's paper in full here: http://www.thinkmind.org/index.php?view=article&articleid=cloud_computing_2018_1_10_28010 

Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series.

Published by Business School, University of Aberdeen

Comments

There are currently no comments for this post.

Your Comment

Search Blog

Browse by Month

2022

  1. Jan
  2. Feb There are no items to show for February 2022
  3. Mar
  4. Apr
  5. May There are no items to show for May 2022
  6. Jun There are no items to show for June 2022
  7. Jul There are no items to show for July 2022
  8. Aug There are no items to show for August 2022
  9. Sep There are no items to show for September 2022
  10. Oct There are no items to show for October 2022
  11. Nov There are no items to show for November 2022
  12. Dec There are no items to show for December 2022

2021

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Jun There are no items to show for June 2021
  7. Jul There are no items to show for July 2021
  8. Aug There are no items to show for August 2021
  9. Sep
  10. Oct There are no items to show for October 2021
  11. Nov
  12. Dec

2020

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2020
  6. Jun There are no items to show for June 2020
  7. Jul
  8. Aug There are no items to show for August 2020
  9. Sep
  10. Oct
  11. Nov
  12. Dec There are no items to show for December 2020

2019

  1. Jan There are no items to show for January 2019
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Jun
  7. Jul
  8. Aug There are no items to show for August 2019
  9. Sep
  10. Oct
  11. Nov There are no items to show for November 2019
  12. Dec There are no items to show for December 2019

2018

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2018
  6. Jun
  7. Jul
  8. Aug
  9. Sep
  10. Oct
  11. Nov
  12. Dec There are no items to show for December 2018

2017

  1. Jan There are no items to show for January 2017
  2. Feb There are no items to show for February 2017
  3. Mar There are no items to show for March 2017
  4. Apr There are no items to show for April 2017
  5. May There are no items to show for May 2017
  6. Jun There are no items to show for June 2017
  7. Jul There are no items to show for July 2017
  8. Aug There are no items to show for August 2017
  9. Sep There are no items to show for September 2017
  10. Oct There are no items to show for October 2017
  11. Nov
  12. Dec