“There's an issue with the blood bank and your operation has been cancelled”.
This is not what you want to hear, when you are just about to have heart surgery. However that is exactly what happened to a patient in a London hospital in May.
The hospital had, together with a number of other major hospitals, been subject to a Russian cyber attack, reports BBC.
Meanwhile, 25.000 people have had information about their names, date of birth, gender, home address and national insurance number stolen in a data breach at the BBC Pension Scheme, one of the largest occupational pension schemes in the UK.
These days it is hard to open a media outlet without reading about data breaches, hacker attacks and cybercrime creeping in on society, feeling like the safe spaces for our most personal information is getting smaller.
High rise in number of cyber operations
The European Repository of Cyber Incidents (EuRepoC) – a research consortium – has decided to get an overview and better understanding of cyber operations from around the world. Everyday they map out cyber attacks committed worldwide to track and report changing trends in the global cyber threat environment.
And it is not for the faint hearted.
“In February 2024 the world witnessed a significant surge in cyber operations, with a total of 107 incidents recorded. This represents a staggering 24.4% increase compared to January and exceeds the overall monthly average of 71 operations by 36,” EuRepoC reports.
For example the Romanian prime minister having copies of his personal identity cards stolen from a ransomware group demanding 30,000 euros for the deletion of the data.
And this is just cyber operations that are politically motivated or against critical infrastructure, which is what the EuRepoC is looking into.
Then there is against commercial targets, financial institutions and the list goes on.
It is safe to say that the cyber threat is huge. That is felt in the EU as well, where more and more regulations are being produced.
In the past two years alone, six new legal acts have been approved. Let's have a quick overview.
EU cybersecurity acts
The Digital Service Act (DSA) aims to create a safer digital space where the fundamental rights of users are protected, and to establish a uniform set of rules for online platforms across the EU
The Digital Markets Act (DMA) aims to ensure fair and open digital markets by regulating large online platforms that act as "gatekeepers," preventing them from abusing their market power.
Together, the DSA and DMA are designed to enhance consumer protection, promote transparency, and foster competition in the digital space, ensuring a fairer and safer online environment for all users. They came into force in November 2022.
The Digital Operational Resilience Act (DORA) entered into force in January 2023 and will apply as of January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
NIS2 is the EU-wide legislation on cybersecurity and in scope are entities who are operators of essential services. Enforcement of the NIS2 Directive is currently underway and member states have until October 17th 2024 to adopt the directive.
The world's first AI act has just been approved by the European Council in May 2024 making it one more set of rules for organisations to keep track of. The flagship legislation follows a ‘risk-based’ approach, which means the higher the risk to cause harm to society, the stricter the rules.
Lastly, the Cyber Resilience Act (CRA) is the first-ever EU legislation placing mandatory cybersecurity requirements for products that include digital elements. It entered into force on december 10th 2024.
More work, less ressources
“Compliance is really complex and there are so many moving parts. New regulations and requirements constantly emerge. In addition, we always have to adapt to new technologies,” says Jacob Høedt Larsen, Public Affairs Specialist in Wired Relations, who follows the development in compliance closely.
“It is simply a huge task to handle compliance in the real world”.
Data Protection Officers (DPO) are already busy protecting sensitive data in accordance with GDPR, but they are now also picking up key roles under the new EU legislations, new research from the European Data Protection Board (EDPB) shows. These new roles raise concerns of conflicts of interests and lack of resources for the DPO’s, the report states.
But also for cybersecurity leaders, the weight of many different responsibilities are felt. A recent survey from Gartner shows that 65% of cybersecurity leaders think that having too many responsibilities is one of the biggest burnout drivers for them.
In their 2023 Privacy Governance report The IAPP has asked 500 privacy professionals about privacy governance and the conclusion is the same: Privacy people do more work - and do more with less.
So it is busy out there in the compliance departments, and in a time where the risk of cyber attacks is very apparent, maximum ressources and clear, realistic division of tasks would be desirable. Not the opposite.
If we look specifically to data protection, the Austrian data protection activist Max Schrems points out that 74% of company-internal data protection professionals say that authorities would find significant violations at an average company.
“Extremely alarming. Such figures would be unimaginable if it were a matter of complying with tax law or fire safety regulation. Non-compliance only seems to be the norm when it comes to users’ personal data,” he states in a study published by Noyb.
Supported by technology
So how can the compliance professionals be supported? How can their work be made easier? The IAPP report highlights that organisations have started to use technology more to support their privacy compliance work and that the use of privacy frameworks are increasing.
And using compliance solutions and standardised frameworks is a good idea to help structure the work of compliance according to Gilli Haraldsen, who is COO in Wired Relations.
Asking him, compliance is complex enough as it is. Therefore, compliance solutions should be simple to use. If it is, then it is possible to reduce manual work, free up time and resources and gain control over the compliance efforts of the organisation.
“By implementing a GRC solution with built-in best practice in everything from vendor management to risk assessments, you can achieve better control and reduce the feeling of being overwhelmed by tasks,” he explains.
Globally-recognised privacy advisor Debra Farber, says in our podcast Sustainable Compliance that she got into tech because it is booming and she would never get bored.
Feels safe to say that she is right. Privacy and tech does not stand still. But despite the challenges, it is worth getting up in the morning for.
Right?
“I have always had a strong sense of justice. It feels good waking up every morning saying you are helping people with their privacy – their freedom and ability to gain control over themselves” - Debra Farber.
Read our E-book: A guide to simplicity in compliance
Guidance on choosing the right GRC system
Our e-book explores a fresh perspective on compliance, focusing on user-friendliness, transparency, and simplicity.