Digital forensics and the GDPR: examining corporate readiness

Sandy Taramonli, Robert Bird

    Research output: Chapter in Book/Report/Conference proceedingConference proceedingpeer-review


    Intending to give greater privacy rights to individuals, the new EU
    General Data Protection Regulation (GDPR) will be applicable in all EU member states from 25 May 2018. Organisations will have a mandatory obligation to report breaches of personal data, and will face fines of up to 4% of global turnover – or €20 million (approximately £17.3 million) – whichever is the greater. Victims of personal data breach will have the right to judicial remedy, and compensation limits are uncapped. Faced with such deterrents, organisations will need to ensure they are fully ready for the GDPR’s arrival, yet they now have less than 12 months to become compliant. In data protection terms, this is a seismic event. This paper aims to examine corporate GDPR readiness, with focus on how
    digital forensic process can help with data breach investigations, mindful that organisations may be less able to defend themselves in legal proceedings if the evidence they present has not been acquired reliably. For the purposes of this research, scope was limited to organisations in the UK, to avoid complications of legal jurisdiction and sovereignty boundaries, and because of topical uncertainty caused by the UK’s 2016 referendum decision to leave the EU. The author’s previous experience in corporate IT environments led to a natural curiosity of how well IT departments are preparing for the GDPR. Research was quantitative in
    nature and adopted the critical research method. Primary research included an online survey, completed anonymously by 145 IT workers, which aimed to gauge organisations’ levels of maturity regarding data protection and forensic investigation. Results were critically analysed and compared to existing research where available, and to the author’s own theoretical assumptions. Findings suggest that most organisations are significantly under-prepared for the GDPR and that workplace investigations of suspected computer misuse are predominantly undertaken by IT staff who lack basic awareness of digital forensic principles and data protection. The financial and reputation risk posed to companies cannot be underestimated: ignorance is no defence.
    Original languageEnglish
    Title of host publicationCyber Warfare and Security
    Place of PublicationReading
    PublisherAcademic Conferences and Publishing International Limited
    ISBN (Electronic)978-1-911218-44-9, 2048-8610
    ISBN (Print)978-1-911218-43-2, 2048-8602
    Publication statusAccepted/In press - 2 Apr 2017
    EventEuropean Conference on Cyber Warfare and Security - Dublin, Ireland
    Duration: 29 Jun 201730 Jun 2017
    Conference number: 16


    ConferenceEuropean Conference on Cyber Warfare and Security
    Abbreviated titleECCWS
    Internet address


    • GDPR
    • data protection
    • ACPO principles
    • personal data breach
    • workplace investigation


    Dive into the research topics of 'Digital forensics and the GDPR: examining corporate readiness'. Together they form a unique fingerprint.

    Cite this