Tens of thousands of firms will be caught up in GDPR's mandatory breach notification requirements, warns Forcepoint's Neil Thacker

When the Netherlands introduced breach notification requirements, more than 4,000 companies were caught in the dragnet

Tens of thousands of organisations in the UK risk humiliation next year when the EU General Data Protection Regulation (GDPR) introduces mandatory breach notification into British law for the first time.

The measure - just one of many in the GDPR - will oblige companies and other organisations data to inform the Information Commissioner's Office (ICO) of a potential leak of personal data within 72 hours of the breach being detected.

"In the Netherlands, they introduced mandatory breach notification last year. Over 4,000 notifications have been made to the data-protection supervising authority since then," said Neil Thacker, deputy CISO of security software and services company Forcepoint, told today's Computing IT Leaders Forum.

He added: "I'd expect that number to be much bigger in the UK. In addition, more than 90 per cent of the 4,000 breaches related to employee misuse of data."

While many organisations are focused on threats from outside, the fact that employees are typically the weak link suggests that organisations ought to put internal risks first, suggests Thacker, with such measures as profiling tools and other network monitoring to reduce this risk first.

For example, he said, "if someone in the HR team sends personal data to Dropbox you may want to block that unless you have an agreement with Dropbox to store data in their cloud".

For the legal profession, said Robert Bond, partner at law firm Bristows, the Panama Papers leak provided a long-overdue wake-up call. For a law firm, such a data spill could be catastrophic in terms of ruined business relationships, liability and, ultimately, the loss of clients to rivals.

The Panama Papers were documents exfiltrated from a law firm in Panama dealing with clients looking for discrete, tax-efficient legal advice. Millions of documents were leaked when hackers gained access to the law firm's network, taking advantage of lax security.

Sounding an ominous technical warning, perhaps, University College London head of information security Bridget Kenyon pointed out that the GDPR does not come into force on 25 May next year - it's already in force, with the deadline largely referring to a drastic ratcheting-up of potential fines.

Regulators could, she suggested, choose to 'save up' transgressions now and deal with them next year when fines of up to four per cent of turnover could be levied.

The next IT Leaders Forum, 'Data, Insight, Action - The New Imperative', is on 28 March. Places are free to qualifying IT leaders and senior IT pros. To find out more and to register, please visit Computing's Events website.