Digital forensics and the GDPR: examining corporate readiness

Sandy Taramonli, Robert Bird

Research output: Chapter in Book/Report/Conference proceedingConference proceeding

Abstract

Intending to give greater privacy rights to individuals, the new EU
General Data Protection Regulation (GDPR) will be applicable in all EU member states from 25 May 2018. Organisations will have a mandatory obligation to report breaches of personal data, and will face fines of up to 4% of global turnover – or €20 million (approximately £17.3 million) – whichever is the greater. Victims of personal data breach will have the right to judicial remedy, and compensation limits are uncapped. Faced with such deterrents, organisations will need to ensure they are fully ready for the GDPR’s arrival, yet they now have less than 12 months to become compliant. In data protection terms, this is a seismic event. This paper aims to examine corporate GDPR readiness, with focus on how
digital forensic process can help with data breach investigations, mindful that organisations may be less able to defend themselves in legal proceedings if the evidence they present has not been acquired reliably. For the purposes of this research, scope was limited to organisations in the UK, to avoid complications of legal jurisdiction and sovereignty boundaries, and because of topical uncertainty caused by the UK’s 2016 referendum decision to leave the EU. The author’s previous experience in corporate IT environments led to a natural curiosity of how well IT departments are preparing for the GDPR. Research was quantitative in
nature and adopted the critical research method. Primary research included an online survey, completed anonymously by 145 IT workers, which aimed to gauge organisations’ levels of maturity regarding data protection and forensic investigation. Results were critically analysed and compared to existing research where available, and to the author’s own theoretical assumptions. Findings suggest that most organisations are significantly under-prepared for the GDPR and that workplace investigations of suspected computer misuse are predominantly undertaken by IT staff who lack basic awareness of digital forensic principles and data protection. The financial and reputation risk posed to companies cannot be underestimated: ignorance is no defence.
Original languageEnglish
Title of host publicationCyber Warfare and Security
Place of PublicationReading
PublisherAcademic Conferences and Publishing International Limited
Pages683
ISBN (Electronic)978-1-911218-44-9, 2048-8610
ISBN (Print)978-1-911218-43-2, 2048-8602
Publication statusAccepted/In press - 2 Apr 2017
EventEuropean Conference on Cyber Warfare and Security - Dublin, Ireland
Duration: 29 Jun 201730 Jun 2017
Conference number: 16
http://www.academic-conferences.org/conferences/eccws/

Conference

ConferenceEuropean Conference on Cyber Warfare and Security
Abbreviated titleECCWS
CountryIreland
CityDublin
Period29/06/1730/06/17
Internet address

Keywords

  • GDPR
  • data protection
  • ACPO principles
  • personal data breach
  • workplace investigation

Fingerprint Dive into the research topics of 'Digital forensics and the GDPR: examining corporate readiness'. Together they form a unique fingerprint.

  • Cite this

    Taramonli, S., & Bird, R. (Accepted/In press). Digital forensics and the GDPR: examining corporate readiness. In Cyber Warfare and Security (pp. 683). [77] Reading: Academic Conferences and Publishing International Limited.