Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
A GDPR breach could carry serious consequences, with fines of up to 20 million Euros being enshrined in the regulations for the most serious of breaches. This fear causes some companies to be overzealous in reporting of any situation where there is even a remote risk of any personal data becoming known to third parties. This causes wasted time and resourced for both your business and the Supervisory Authority (in the UK that’s the ICO).
Although it's better to err on the side of caution, after reading this article, you'll find out that although General Data Protection Regulation might be more restrictive than the previous Data Protection Act, it's often being misunderstood. Whilst the most effective option is to hire a Data Protection Officer, it’s a good idea for every organisation to know the basics of the GDPR and what it means when it talks about ‘data breaches’.
GDPR is a regulation that came into effect on 25 May 2018 to make the laws about data protection identical in all member states of the European Union and European Economic Area. As a consequence, companies that do business on the soil of multiple EU countries need only to comply with GDPR, as there are no differences in laws protecting the personal data of individual users (or, as the regulation calls them: data subjects) across the GDPR signatory countries.
This regulation applies not only to all companies in the EU and EEA but to any business that stores or processes personal data of individuals from either of these entities. So if you’re a business in the USA who provides services to he EU/EEA, you need to adhere to the GDPR.
Because of the GDPR, all companies with "professional or commercial activity" that are in any way handling personal data are obliged to have adequate systems in place to protect the privacy of individuals and minimise the possibility of a personal data breach.
Before we delve into this matter further, let's consider what personal data, according to GDPR, really is. In the text of this regulation, we can find a fragment where personal data is defined as "name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
However, one rather common misconception is that companies only need to protect the personal data of their customers, which isn't true. All companies should also protect their employees’ personal data.
This is another subject that is often poorly understood. When we hear of a personal data breach, most of us think of hackers gaining access to databases where the information about customers or any individuals is stored.
Although such a situation would indeed pass for a personal data breach, if we once again look into GDPR, we'll find that it is explained as an "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
It means that a data breach isn't in any way limited to situations in which any unauthorised person gained, or could gain access to personal data. Instead, it also includes those in which the data is edited, a data carrier that contains personal data is lost, or if the only copy of such a file is deleted.
The GDPR applies both to data stored digitally, but also to paper documents, though even if an unauthorised person comes into contact with a scrap of paper that describes personal information, it would be a personal data breach. The real-life examples of such occurrences could be, for example:
This list by no means includes all of the possible situations that would constitute a personal data breach but rather aims to show that such an occurrence isn't limited to the actions of hackers, nor to unauthorised persons gaining access to digital records of paper documents. Even leaving someone’s name and email address on a post-it note could technically constitute a data breach. However, as in a moment, we'll find out, not all GDPR breaches warrant a need to notify a Supervisory Authority.
Another issue that is often confusing is when, according to the GDPR, companies should report to the authorities when a data breach takes place. As it turns out, not every single case of a data breach requires a company to contact a supervisory organisation.
According to the GDPR, there's no need to compose a report if a personal data breach "is unlikely to result in a risk to the rights and freedoms of natural persons." It means that an entity responsible for storing or processing information doesn't have to let authorities know if, due to a mistake, or another reason, there is a data breach. e.g., a risk that an unauthorised person could find a lost pen drive, that in no way could result in negative consequences for an individual.
It really depends on the situation and the type of information that is lost, modified, or shared by mistake. If the "rights and freedoms of natural persons" are in no way threatened, all you need to do is document the event in your breach register. In this situation there is no need to contact the Supervisory Authority about this type of a data breach, though your DPO should still be involved.
Before we proceed to the section in which we'll explain when you should report a personal data breach, let's focus first on what the risk to "rights and freedoms," according to the GDPR is.
If we take a closer look at the regulation, we'll find out that it is defined as a "physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned."
Although the list of possible situations that constitute data breaches (which should be reported) is quite long, it instructs the processors of personal data to report only such situations that could affect the lives of the data subjects negatively.
In the case of most data breaches, such as accidentally modifying the list with the information on data subjects, there wouldn't be a possibility that such occurrence could harm the reputation of individuals, or lead to any financial loss. However, it all really depends on the context and the type of personal data that would be lost, modified, or shared by accident with an unauthorised person.
However, what if a data breach does, in fact, pose a threat to the aforementioned "rights and freedoms" of individuals? Such an event should be reported within the next 72 hours. Apart from that, those whose lives could be affected should be notified about the data breach in the next 72 hours. Failure to do so could result in substantial fines being imposed on a business that is responsible for the processing of personal data.
It doesn't mean though that if an incident isn’t reported within 72 hours without undue delay, the fine will be an invariable consequence. In an attempt to avoid being faced with a fine, companies often overstress the importance of providing the report about the data breach as soon as possible, often with harm being done to the protection of the customers' privacy.
The first priority should be to ensure that a similar situation won't be possible in the future. Although all the employees whose responsibilities include handling and processing personal data should go through training on this subject, it is also recommended to provide them with regular refresher training on how to avoid data breaches.
In this day and age, it is easy to put security safeguards in place reduce the risk of unauthorised persons accessing files containing personal data, and thus minimising the possibility of a risk to the "rights and freedoms".
However, another thing that we should mention is that every company should avoid providing comprehensive data about customers in multiple files if it’s unnecessary. Usually, there is no such need, and by limiting the amount of information that is stored in a single place, the chances of a data breach taking place would be slim. Only store the data that you really need and securely delete all unnecessary data.
Even if you report the data breach to the Supervisory Authority, you might be found neglecting your responsibilities to implement security systems that would adequately protect the privacy of the users and make breaching the GDPR less likely. The level of fines depends on a multitude of factors – it's even possible that although your company hasn't suffered a breach, GDPR could be violated in another way, such as creating the environment in which such a thing could occur in the future.
However, apart from the fines (the lowest tier is up to €10 million, or 2% of annual turnover, depending on which number is higher), your company could be even banned from processing information of data subjects if the circumstances of the breach of data were particularly problematic.
Although these consequences can seem quite severe, the primary objective of the GDPR is not to punish the businesses that fail to safeguard against the possibility of a personal data breach, but rather to make it less likely that inappropriate handling of the data will result in negative consequences for users, such as loss of reputation, financial loss, or discrimination.
The intent behind this regulation is to encourage data processors to treat the subject more seriously, as it's a matter of fundamental importance. Ultimately, to prevent a data breach from taking place, or at least, making it an unlikely occurrence, ensuring that every employee went through adequate training could be enough.
Depending on the type of data processing with which your business concerns itself, you should consider whether files containing personal data are encrypted, and if not, if there is a chance that they could be accessed by unauthorised personnel. However, even if your company adheres to GDPR guidelines, a personal data breach could happen. Even the best security systems can be undone by human error and honest mistakes.
However, reporting a personal data breach doesn't necessarily mean that your company will find itself in financial troubles. The essential part is to consider what caused the personal data breach and whether the situation could be easily avoided. Before you start drafting a report, focus on taking care of the situation at hand first, so that the possibility of another breach caused in the same way is eliminated. Only then can you proceed to contact the Supervisory Authority.
Unfortunately, it is often the case that business owners attempt to inform the supervisory organisation without taking care of the problem. According to GDPR, the report detailing the data breach should be sent within 72 hours without undue delay, but let's not put the cart before the horse. The ultimate goal of the GDPR is to decrease the likelihood of data breaches, and prioritising reporting over fixing the problem would be the opposite of that.
There is still a lot of confusion surrounding the GDPR. Many business owners in the UK & EU aren't sure what constitutes a personal data breach. The best option for these companies is to invest in an outsourced Data Protection Office service. Bulletproof wrote a blog exploring the roles and responsibilities of a DPO. Although following those regulations might require investing additional resources into the training of the staff, it's not without important reasons, GDPR non-compliance presents a serious risk to your business.
We hope that after reading this article, we have cleared up any confusion. For organisations wanting more detail, we have a GDPR White Paper and webinar that both look at the GDPR in more detail. And for those businesses struggling with getting started, we have our 10 Steps to GDPR Compliance infographic.
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.