About a year ago, Europe’s largest electrical and telecommunications retailer was hacked, compromising 5.9 million customer cards and 1.2 million personal records. Dixons Carphone claimed it had been unaware of the breach until recently, so no information had been held back from their customers or regulatory bodies.
The problem with the Dixons Carphone hack is that it was a major breach that raised questions about the company’s security strategy and its real commitment to securing it infrastructure. How will Dixons Carphone and other companies going through similar situations deal with security incidents in light of the GDPR? Was this incident truly just detected or have they simply been trying to keep quiet?
Theoretically, GDPR doesn’t regulate incidents that occurred before May 24, but an anonymous European Commission official has been reported as saying at a meeting in Brussels in April that some adjustments should be made to include major breaches.
"If this behavior [of keeping a data breach secret] would continue - even if it started a long time ago and continues - and is discovered after the GDPR comes into play, then it's relevant," said the person, according to EU Observer.
"If you discover the crime the moment it happens, but it started a long time ago, this doesn't really matter. This is not retroactive application, this is application of the actual case," he said. "If there is a breach discovered the day after, the GDPR will apply. I hope that every company dealing with our personal data takes the May deadline very, very seriously," he concluded.
Even though they’ve had two years to prepare for GDPR compliance, businesses were caught unprepared, blaming a lack of funding and resources. Only a small number of companies were actually ready for GDPR when the deadline hit and most are still behind schedule, depending on industry and size, the Ponemon Institute found following feedback from 1,000 companies in the US and EU.
One major problem mentioned is the lack of clear guidelines about specific security actions required to be compliant. Some 47 percent complained they didn’t even know where to start. Regardless of the criticism, all have to face the financial consequences of GDPR.
Companies still have to review their processes because data breaches can be very expensive. In the UK, for example, businesses need as long as 191 days to detect a security incident and another 66 days to mitigate it.
In response to the Dixons Carphone breach, the Information Commissioner’s Office (ICO) announced that a decision will be made after a thorough investigation establishes the date the security incident occurred and when it was detected. For now, it hasn’t been decided if it will be managed under the 1998 Data Protection Act or GDPR.