“Complacency is The Biggest Cyber Risk, Not Hackers”: The Importance of Article 32 of the GDPR

Published 31 October 2022

The UK Information Commissioner, John Edwards, has cautioned companies against cyber complacency which is leaving companies and their employees vulnerable to cyber-attack. This is not because of sophisticated hackers but because standard technical and organisational security measures – such as updating software and staff training – were ignored.

The UK Information Commissioner, John Edwards, has cautioned companies against cyber complacency which is leaving companies and their employees vulnerable to cyber-attack. This is not because of sophisticated hackers but because standard technical and organisational security measures – such as updating software and staff training – were ignored.

Article 32 of the General Data Protection Regulation (GDPR) highlights the importance of technical and organisational security measures to ensure the security of processing. Therefore, in order to be GDPR compliant, companies must adopt and maintain appropriate technical and organisational security measures proportionate to the risks and in consideration of the scope, context and purpose of the processing.

The importance of adhering to Article 32 has recently been reinforced by the Information Commissioner’s Office (ICO) in issuing a £4.4m fine to Interserve Group Ltd, a Berkshire-based construction company, for failing to keep the personal data of its staff secure. The ICO ruled that the company failed to maintain appropriate security measures to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included contact details, national insurance numbers and bank account details of employees increasing the risk of identity theft and fraud. Special category personal data such as ethnic origin, disabilities, sexual orientation and health information were also stolen.

The Interserve data breach occurred because a phishing email was not blocked or quarantined by their system, and was delivered into employee inboxes where an employee opened it, and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. Interserve then failed to thoroughly investigate the suspicious activity. The attacker subsequently compromised 283 systems and 16 accounts as well as uninstalling the company’s anti-virus solution.

The ICO investigation ruled that Interserve failed to follow up on the original alert of suspicious activity, used outdated software systems and protocols, and had inadequate staff training and insufficient risk assessments, which ultimately exposed them to a cyber-attack.

In day-to-day work, outdated protocols, lapsed software updates or inadequate staff training may not seem like urgent issues. However, when these systematically create a weakened cyber security and data privacy foundation, it lends way to major breaches.

The Importance of Technical and Organisational Measures (Article 32)

Appropriateness

The GDPR provides a list of security measures which may be considered ‘appropriate to risk’  and are designed to integrate the necessary safeguards into the processing of personal data. Controllers and processors should carry out a risk assessment to determine what level of controls are appropriate, bearing in mind all of the circumstances of their processing operations. In determining appropriateness, organisations should also consider the degree of potential damage or loss that might be inflicted upon individuals (such as staff or customers) if a security breach occurs, the effect of any security breach on the organisation itself, and any likely reputational damage as well as the possible loss of customer trust.

Technical

Technical measures include both physical and computer/IT security measures. When determining physical security measures, organisations should look at the robustness of doors and locks, controlling physical access to IT systems and areas where paper-based data is stored, the supervision of visitors to premises, the disposal of paper and electronic waste and how IT equipment, including mobile devices, are kept secure. Examples of technical measures include:

  • Pseudonymisation
  • Secure password protection for computer access
  • Encryption of hard drives
  • Automatic locking of idle computers
  • Removal of access rights for USB and other memory media.
  • Virus checking software
  • Firewalls

How Bridewell Can Help

Aside from being able to deploy the GDPR Gap Analysis tool, breaches are inevitable – fines are not. The goal of cyber security and data privacy is not to avoid breaches altogether, but to have the technical and organisational security measures in place to respond swiftly and appropriately. Interserve’s downfall was not that a breach occurred; the problem was

  • The lack of cyber security and data privacy infrastructure, and
  • The failure to follow up and contain the breach appropriately.
This is where Bridewell’s expert team of cyber security and data privacy consultants can make all the difference. Bridewell can help build your security and privacy infrastructure from the ground up – from putting in place the technical security measures with our cyber security consultants to delivering bespoke training and ‘baking in’ privacy by design with the help of our data privacy consultants, we can assist end to end and keep complacency at bay.