The General Data Protection Regulation (GDPR) comes into effect from 25th may 2018. New warnings from the Information Commissioner’s Office mean that organisations could now be punished for failing to patch existing vulnerabilities in their IT network.
Under Article 32, businesses have a responsibility to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes measures such as:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Failure to comply with the requirements of the GDPR could cause the offending business to be disciplined by the ICO. Although the higher fines of €20 million or 4% of global annual turnover are likely to be reserved for the most shocking violations, any non-complaint actions resulting in disciplinary action could be costly.
Nigel Houlden, Head of Technology Policy at the ICO, said: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
He added: “We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
Eventura advocate a model of prevent, detect, respond, recover. How this model could work for you depends on your business and risk appetite. Eventura are always happy to discuss your current security solutions, including patching and configuration management. Please do not hesitate to contact us for more information.