Abstract
Intending to give greater privacy rights to individuals, the new EU
General Data Protection Regulation (GDPR) will be applicable in all EU member states from 25 May 2018. Organisations will have a mandatory obligation to report breaches of personal data, and will face fines of up to 4% of global turnover – or €20 million (approximately £17.3 million) – whichever is the greater. Victims of personal data breach will have the right to judicial remedy, and compensation limits are uncapped. Faced with such deterrents, organisations will need to ensure they are fully ready for the GDPR’s arrival, yet they now have less than 12 months to become compliant. In data protection terms, this is a seismic event. This paper aims to examine corporate GDPR readiness, with focus on how
digital forensic process can help with data breach investigations, mindful that organisations may be less able to defend themselves in legal proceedings if the evidence they present has not been acquired reliably. For the purposes of this research, scope was limited to organisations in the UK, to avoid complications of legal jurisdiction and sovereignty boundaries, and because of topical uncertainty caused by the UK’s 2016 referendum decision to leave the EU. The author’s previous experience in corporate IT environments led to a natural curiosity of how well IT departments are preparing for the GDPR. Research was quantitative in
nature and adopted the critical research method. Primary research included an online survey, completed anonymously by 145 IT workers, which aimed to gauge organisations’ levels of maturity regarding data protection and forensic investigation. Results were critically analysed and compared to existing research where available, and to the author’s own theoretical assumptions. Findings suggest that most organisations are significantly under-prepared for the GDPR and that workplace investigations of suspected computer misuse are predominantly undertaken by IT staff who lack basic awareness of digital forensic principles and data protection. The financial and reputation risk posed to companies cannot be underestimated: ignorance is no defence.
General Data Protection Regulation (GDPR) will be applicable in all EU member states from 25 May 2018. Organisations will have a mandatory obligation to report breaches of personal data, and will face fines of up to 4% of global turnover – or €20 million (approximately £17.3 million) – whichever is the greater. Victims of personal data breach will have the right to judicial remedy, and compensation limits are uncapped. Faced with such deterrents, organisations will need to ensure they are fully ready for the GDPR’s arrival, yet they now have less than 12 months to become compliant. In data protection terms, this is a seismic event. This paper aims to examine corporate GDPR readiness, with focus on how
digital forensic process can help with data breach investigations, mindful that organisations may be less able to defend themselves in legal proceedings if the evidence they present has not been acquired reliably. For the purposes of this research, scope was limited to organisations in the UK, to avoid complications of legal jurisdiction and sovereignty boundaries, and because of topical uncertainty caused by the UK’s 2016 referendum decision to leave the EU. The author’s previous experience in corporate IT environments led to a natural curiosity of how well IT departments are preparing for the GDPR. Research was quantitative in
nature and adopted the critical research method. Primary research included an online survey, completed anonymously by 145 IT workers, which aimed to gauge organisations’ levels of maturity regarding data protection and forensic investigation. Results were critically analysed and compared to existing research where available, and to the author’s own theoretical assumptions. Findings suggest that most organisations are significantly under-prepared for the GDPR and that workplace investigations of suspected computer misuse are predominantly undertaken by IT staff who lack basic awareness of digital forensic principles and data protection. The financial and reputation risk posed to companies cannot be underestimated: ignorance is no defence.
Original language | English |
---|---|
Title of host publication | Cyber Warfare and Security |
Place of Publication | Reading |
Publisher | Academic Conferences and Publishing International Limited |
Pages | 683 |
ISBN (Electronic) | 978-1-911218-44-9, 2048-8610 |
ISBN (Print) | 978-1-911218-43-2, 2048-8602 |
Publication status | Accepted/In press - 2 Apr 2017 |
Event | European Conference on Cyber Warfare and Security - Dublin, Ireland Duration: 29 Jun 2017 → 30 Jun 2017 Conference number: 16 http://www.academic-conferences.org/conferences/eccws/ |
Conference
Conference | European Conference on Cyber Warfare and Security |
---|---|
Abbreviated title | ECCWS |
Country/Territory | Ireland |
City | Dublin |
Period | 29/06/17 → 30/06/17 |
Internet address |
Keywords
- GDPR
- data protection
- ACPO principles
- personal data breach
- workplace investigation