How Would WannaCry Have Triggered GDPR Penalties?

When 25 May 2018 rolls around, businesses large and small across the United Kingdom are going to be bound by General Data Protection Regulations (GDPR). These regulations will be dramatically changing the requirements businesses need to meet to protect the personal data of their clients, customers, and employees, and fines for failing to meet them are set to be very steep.

It’s easy for businesses to downplay the importance of GDPR penalties, reasoning that they will never find themselves in the firing line, so it’s a good idea to look at how recent cybersecurity crises would have played out for UK businesses if GDPR were already in effect. Reported to have infected more than 230,000 computers in over 150 countries, the WannaCry ransomware attack is an obvious place to start.

Ransomware locks people out of their data, encrypting it unless a certain amount of money is paid – WannaCry demanded at least $300 worth of Bitcoin. Now, you might argue that WannaCry encrypted rather than stole data, but GDPR tells us that a data breach covers the “unlawful destruction [and] loss” of data. WannaCry randomware certainly meets that criteria since it accessed the data unlawfully and threatened its complete loss.

Making the matter worse is the fact that GDPR stipulates that you must follow proper practices. If you make any mistakes in the way your data is stored and protected, you can be hold accountable for data loss. Unfortunately, many businesses and organisations across the world were affected by WannaCry simply because they were using outdated operating systems. There was even a patch available for download that would have prevented the software entering the system, but clearly plenty of people ignored it. This clearly highlights the importance of thorough GDPR audits to be done by companies on a regular basis, for which there is ample help available (this URL points to one such provider with expert GDPR consultants). With a little bit of effort, businesses can make sure to stay compliant, which becomes beneficial on both legal as well as ethical grounds, not to mention that it can help prevent data breaches and cyberattacks.

If you were lucky enough not to get hit by this latest cybersecurity risk, you might still be hit by the next one. If this happens under similar circumstances after 25 May 2018, you may be held liable under the new GDPR penalty guidelines. As well as potentially losing your customers, you could end up owing them a considerable amount of money.

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *

Share This

Share this post with your fellow geeks