Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) in April 2016 and took on full effect on 25th May 2018. It was also enshrined in the UK’s new Data Protection Act (2018), making it applicable within the UK post-Brexit. The regulation was designed to strengthen existing data protection legislation. As well as applying to all member states of the EU and UK, it also applies to any organisation no matter where they are located, who do business, collect, or analyse data of EU residents.
If we don't comply with GDPR rules, it can result in the possibility of severe penalties. Companies that are yet to establish compliance have been given ample warning to do so. In addition to meeting GDPR requirements having robust security measures in place is essential for all organisations with the exponential increase in cyber attacks year after year. See one of our experts answer popular questions on why you should comply with GDPR:
There are two levels of financial penalties that can be imposed for GDPR infringement:
The lower level allows for fines of up to €10 million or 2% of their global annual turnover. This penalty can be issued for violations of:
The higher tier is for more severe GDPR infringements, and fines of up to €20 million can be imposed or 4% of annual global turnover. These are for infringements relating to:
The financial penalties received are dependent on several factors, such as the type of violation committed, how serious it was and the time it lasted. It will also take into account if the infringement was accidental or deliberate and if it was your first violation and if you were cooperative. Also, it matters whether or not you comply with any accepted codes of conduct or certifications such as ISO 27001.
In addition to harsh fines, other sanctions can be imposed against your business by authorities such as the ICO (Information Commissioner’s Office) that are responsible for enforcing GDPR in the UK. They can enforce temporary and permanent bans on you processing personal data and suspend your data transfers to third countries to highlight just two examples.
A data breach could also lead to a lawsuit being carried out by third-party litigation. An individual or groups of people could sue your company for damages adding to even further costs on top of any GDPR fine.
Article 82 states: Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Reputational damage is another significant side-effect of a data breach or GDPR infringement. Having your company name linked to a data protection violation will result in a lack of trust in your business. Is a potential customer likely to trust your company if you have had a publicised data breach and been fined by the GDPR or will they seek out one of your competitors?
The question really doesn't need an answer.The financial repercussions of reputational damage can have a prolonged impact on your business, and in some cases, the restoration of your reputation is impossible.
The various authorities enforcing GDPR in Europe have already handed out penalties to many companies after data breaches and other data protection infringements and made an example of some big players with hefty fines.
As of November 2020, there have been a total of 408 fines levied, and €259,759,295 has been paid out due to lack of GDPR compliance. The sector that has the most fines imposed upon it to date is Industry and Commerce with 98 instances closely followed by Media, Telecoms and Broadcasting.
A few of the high profile GDPR compliance casualties include:
Google was hit with a massive €50 million GDPR penalty in 2019, which is the largest so far. There were several violations under GDPR articles 5, 6, 13 and 14. The French data regulator CNIL said that they imposed the fine for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation."
After a cyber-attack on the company's website, personal data from around 500,000 customers was stolen, the ICO claimed that inadequate security measures compromised the British Airways website. The organisation was fined €22,036,306.
After the acquisition of competitor Starwood, it was discovered that its central reservation database had suffered a data breach. The hack impacted 30 million hotel customers and included dates of birth, passport numbers and details of 8 million credit cards. According to the ICO, the hotel chain lacked due diligence and failed to take the proper steps in ensuring that adequate security measures protected their systems. In addition, the company failed to notify their customers of the data breach until several months after the hack. Marriott was fined €20,450,000.
GDPR compliance can be tricky, and while the big name brands like Google BA and Marriott are more likely to hit the headlines after receiving a fine, businesses big and small are all on the GDPR radar. We all understand that the GDPR is about protecting the data of individuals who reside in the EU but let's look at what they specifically have to say on the matter of security.
Article 32 of the GDPR covers Security of Processing and states that:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
This amongst other things includes:
Known as the CIA triad, confidentiality, integrity, are part of your GDPR compliance responsibilities.
The first step to ensuring that you are GDPR compliant is to identify the personal data you keep, how sensitive it is and who in your organisation has access to it. Once you have documented this information, you can then check if your existing security measures are robust enough to ensure the data is as safe as possible.
Processes should be established to detect, investigate and report any data breaches. Data breach testing, using penetration tests and vulnerability screening should be performed regularly to ensure that effective procedures are in place.
If a breach does occur and personal data is at risk, you must be swift in reporting it to the relevant supervisory authorities – in the UK this is the Information Commissioner's Office (ICO).
Article 33 of the GDPR states that if a data breach occurs and is a threat to data privacy rights, you must report the matter within seventy-two hours of discovering the breach. Article 34 states that Data Processors or a Data Protection Officer are required to alert their customers straight away if the violation will potentially lead to the rights and freedoms of the individuals involved being negatively impacted.
Whatever the size and industry of your organisation, if you deal with the personal data of EU or UK residents, someone in your organisation needs to be appointed as responsible for GDPR. It’s also wise to have a knowledgeable Data Protection Officer to oversee the nuts and bolts of your GDPR compliance. This can be someone within your organisation with adequate training, but more often it’s an outsourced position. They will serve to coordinate all communication between your enterprise and the GDPR Supervisory Authorities.
Despite it being strongly recommended by Supervisory Authorities and best practices alike, appointing a DPO is only strictly mandatory if your organisation meets one of these three requirements:
Good data protection comes from strong processes, procedures and technical controls. Meeting GDPR compliance means that you have implemented effective processes to protect any personal data that you collect or process. By following GDPR guidance, you will not have to suffer from the cost of a hefty fine and other related costs and negative knock-on effects caused by lack of compliance. And an integral part of GDPR compliance is taking information security seriously.
The GDPR has no universal standard of what information security measures an organisation needs to have in place. They state an organisation should securely process data by mplementing ‘appropriate technical and organisational measures.’
These measures are typically known as information security management (ISM) which are a set of controls put in place to protect the confidentiality, integrity and availability of an organisation's informational assets against cyber threats and vulnerabilities.
Informational assets don't just include the personal data that you collect from individuals but encompasses all sensitive data that your organisation holds.
Companies often adopt a framework of documented controls and guidelines known as an information security management system (ISMS), that is designed to manage information security in a systematic manner across an organisation. The object of an ISMS is to mitigate risk and ensure operational continuity by taking proactive steps to constrain the consequences of a breach.
In practice, many enterprises choose to follow specific standards and the most popular of these is ISO 27001.
ISO 27001 is a globally recognised ISMS standard set out by the International Organization for Standardization (ISO). ISO 27001 offers the framework for an enterprise to create a successful and effective ISMS.
Rather than mandating any specific methods or tools, it includes suggestions for effective risk control. Essentially, it is a checklist of actions that are needed to meet compliance. If you have achieved the goal of ISO 27001 certification and become fully compliant, it shows that your ISMS has followed all the cyber security best practices required for a robust security posture.
While it is not a legal requirement to be ISO 27001 certified, if your organisation processes and stores sensitive data, it is strongly recommended to help protect against potential information security threats. In addition, your business will benefit from demonstrating that it has achieved an internationally recognised standard for best practices in ISM. Also, some Government and commercial enterprises specify in their contracts that ISO 2700 certification is required as standard to bid on contracts.
An effective ISMS, ISO 27001 certification, and GDPR compliance go arm in arm. There is no specific GDPR certification as such. However, ISO 27001 is closely aligned with the personal data protection objectives outlined in a crucial section of the GDPR, namely Article 32, where it requires organisations to implement 'appropriate technical and organisational measures' when it comes to data processing security.
Essentially the requirements described in the Article 32 are the same that are required for ISO 27001 certification. This includes the standards set on data encryption, requirements for availability and restoration, and business continuity.
ISO 27001 is much more comprehensive in breadth than GDPR when it comes to sensitive data as it addresses both personal data and the organisation's critical data. However, ISO 27001 certification won't make your business completely GDPR compliant, but it does serve as a great foundation.
All organisations that process or control the personal data of individuals have a responsibility to protect this information from any security risk. By becoming ISO 27001 certified, your company has independently audited verification that it is compliant with information security best practices on an international level.
Having the appropriate security measures in place can significantly lower the risk of a security breach and a hefty fine from the GDPR. While there is no requirement from the GDPR to be certified to any standard, including ISO 27001, in the worst-case scenario if the data you held was compromised in a cyber attack certification, it will put your enterprise in a more favourable light.
It should be understood that GDPR compliance, ISO 27001 accreditation and your organisation's security are all ongoing – there is no set and forget solution. Working with data protection compliance experts can make the process much smoother, ensuring that information security is performing at an optimal level and can also offer support with ISO 27001 certification and GDPR compliance.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.