Companies which hold large amounts of personal data on customers could be forced to prove to the ICO that they have given staff cyber-awareness training and provide details of when their data security process were last audited if MPs get their way.
These are just of the recommendations made in a report published by the Parliamentary Culture, Media & Sport Committee. The inquiry, which was triggered by last year’s hack attack on TalkTalk, opened in November 2015..
According to “Cyber Security: Protection of Personal Data Online” companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively.
As well as cyber-training and audits, the committee also wants businesses to report to the ICO annually on whether they have an incident management plan in place and when it was last tested, as well as the number of attacks of which they are aware and whether any were actual breaches.
The report states: “Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at board level, rather than reporting breaches after they have happened.
“Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place.”
Any such measures would go way beyond the requirements of the EU General Data Protection Regulation (GDPR); legislation which is already vexing the business community.
Last week, it was claimed that while awareness of the GDPR has increased, a third of businesses say they still feel ‘unprepared’ for the changes which will come into force in May 2018.
7,000 data protection officers needed for UK firms
Third of businesses still feel unprepared for GDPR
Marketers clueless about Brexit impact on data laws
Data compensation claims ‘could run into millions’
EU sets May 25 2018 as GDPR implementation date
Industry on alert as EU reviews online privacy laws
EU waves white flag over data protection officers