Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

GDPR in 2019 – Things we have learned 1 year after GDPR

title 1

about the author

Share this post

Well, it’s been an eventful few weeks. As we passed the 1-year anniversary of the implementation of GDPR, it seemed that many organisations had remained relatively unscathed from the threat of financial sanctions for non-compliance with the new regulation.

According to the European Data Protection Board, regulators in 11 countries issued fines totalling €55.96 million for GDPR violations. However, the bulk of this figure related to the €50 million fine issued to Google by the French data protection commission (CNIL). The company had been held to account for processing personal data for advertising purposes without obtaining the permission required under GDPR.

Organisations breathed a collective sigh of relief that the fines were not as widespread as initially anticipated, but over the course of two days, the Information Commissioner’s Office (ICO) unleashed its might.

British Airways was fined a massive £183 million for a security breach that exposed the personal data of over 565,000 customers. And just a day later, the international hotel group Marriott, was fined £99.2 million for a huge data breach that exposed the personal data of 339 million guests across the world. The ICO confirmed that about 30 million of the hacked records related to residents of 31 countries in the European Economic Area.

It’s worth noting that in both cases, the ICO did not impose the maximum fine of 4% of global annual turnover. Fines are dependent on the severity of the breach and the level of cooperation involved. British Airways fully cooperated with the ICO and was in turn fined 1.5% of its global annual turnover. If the ICO had sought the maximum 4% of the company’s total revenue, the fine could have been a staggering £489 million.

Clearly, both fines are a game-changer for GDPR and have paved the way for even larger fines to be issued in the future. The ICO has demonstrated just how seriously they intend to take violations of the regulation and organisations have become acutely aware of the consequences of non-compliance

GDPR in 2019 – What have the last 12 months taught us?

GDPR in 2019 – Things we have learned 1 year after GDPR

The last 12 months have been a steep learning curve for many organisations. Compliance with the GDPR was never going to be an easy process but for some organisations, especially larger multinational companies, it has proved an arduous task. Huge amounts of data spread across a wide variety of platforms, endless access points, and an increase in data requests have made compliance more difficult than many could have imagined.

GDPR has certainly made its mark on the world and over the course of a year it has led to the following:

Increased Reporting

The GDPR appears to be encouraging data breach reports with almost 60,000 reports being filed since the privacy law came into force on 25 May 2018. The data breaches ranged in severity from minor breaches to major cyber-attacks affecting millions of people.

Consumers have also become more cognisant of their privacy rights. After the GDPR came into effect, the ICO reported a 160% increase in complaints, and the Irish Data Protection Commission recorded 6000 complaints within the same period.

Need to secure supply chain

The attacks on British Airways and Marriott once again highlight the ongoing difficulties faced in securing a company’s supply chain. The BA breach bears all the hallmarks of a Magecart attack. The threat group is known for injecting card-skimming scripts into vulnerable e-commerce domains. To gain access to BA’s valuable customer data, the group is thought to have exploited a vulnerability in an older version of the e-commerce platform Magento, which is used by the company.

In Marriott’s case, the breach is reported to have originated in the Starwood guest reservation database, prior to the company merging with Marriott. Cybercriminals appear to have shifted their strategies and rather than target a company directly, they are attempting to inflict damage by exploiting vulnerabilities in its supply chain network.

To avoid falling foul of the legislation, organisations will need to conduct detailed risk assessments of suppliers and monitor their GDPR compliance.

Need for Staff Training

GDPR in 2019 – Things we have learned 1 year after GDPR

The GDPR states that employees need to receive regular information security staff awareness training. The training is key to ensuring that staff are knowledgeable about company policies, regulations, and the legal requirements that apply to their day to day role.

Indeed, the ICO specifically asks on their personal data breach notification form if staff involved in the breach have received data protection training within the past 2 years. If organisations are unable to demonstrate this, further inquiries will be made.

Organisations need to prove that staff have both read and understood GDPR Policies. Being able to evidence this puts organisations in a strong position to demonstrate that ‘Privacy’ has become an integral part of their day to day business.

Importance of Data Protection Officers (DPO)

According to the IAPP, more than 500,000 organisations are estimated to have registered DPOs since the GDPR came into effect. Data Protection Officers play an important role in the protection of privacy and are central to effective accountability. For organisations that carry out certain types of processing activities, it’s mandatory to appoint a DPO.

A DPO must be appointed if:

  • You’re a public authority
  • your core activities require large scale, regular and systematic monitoring of individuals
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences

The DPO should be an expert in GDPR and privacy practices, as they are responsible for the monitoring and reporting of GDPR compliance. DPO’s are expected to help guide Data Controllers and Data Processors by auditing internal compliance and suggesting suitable corrective recommendations where necessary.

So, what’s next for GDPR?

GDPR in 2019 – Things we have learned 1 year after GDPR

Within the space of a year, the GDPR has massively shaped the global privacy landscape. The regulation has prompted many other countries around the world to take a closer look at their own security and privacy laws.

Argentina and Japan have already started to align their national data protection legislation with the GDPR, and Brazil has implemented a similar legislation called the General Data Protection Law that will come into effect on the 15 August 2020.

Within the US, the states of California, New York and Colorado have passed local data privacy laws and the US Congress is considering a federal data privacy law as pressure mounts for stricter data protection across the country.

There’s no doubt that GDPR has been a force for good and prompted organisations to take privacy protection more seriously. If adhered to correctly, the GDPR enables organisations to become more cyber secure, efficient and competitive within the marketplace.

By demonstrating GDPR compliance, companies are likely to benefit from reduced organisational risk and build greater levels of trust with their customers. This transparency will, in turn, enhance brand reputation and lead to the development of more meaningful relationships.

However, as cybercrime evolves, and criminals become more deceptive in their attack methods, organisations will need to continually address privacy and security risks to ensure they are accountable for the personal data they hold and compliant with the legislation.

MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.

DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.

Other Articles on Cyber Security Awareness Training You Might Find Interesting