By Dr Kerry Beynon


By “data” I mean intellectual property, commercially sensitive data and personal data. The chances are that you also have in place IT systems to manage your data. Perhaps you outsource your IT function, or perhaps you are fortunate enough to have an in-house team of IT gurus that take care of things for you. You may have “IT” noted on your risk register and have considered some kind of insurance, but how often do you properly review, test and challenge your systems and disaster recovery plan for preventing and dealing with information security breaches?

As our reliance on the technologically connected world increases, so does our financial exposure to the threat posed by cyber criminals. We have all read the high profile news reports about the spread of ransomware attacks and how that can (depending on the background) damage trust and confidence in an organisation. However, cybercrime does not only expose our businesses to the potential loss of customers and the loss of valuable intellectual property, but it will soon expose our businesses to higher regulatory sanctions. This is because on 25 May 2018 the General Data Protection Regulation (GDPR), dealing with how organisations treat and manage personal data, takes effect. Although the current Data Protection Act 1998 does already make it a requirement for “appropriate technical measures” to be in place to protect personal data, the GDPR arguably places a greater emphasis on this and of course the maximum fines for “getting it wrong” will increase from £500k to 20 million euros or 4% of your worldwide annual turnover, whichever is the greater.

It is important to keep in mind that one of the themes of GDPR is “proportionality” – everything must be proportionate to the risk of harm that may be suffered by individuals. However, for something to be proportionate, it has to be “considered”. This means that a one size fits all approach is not suitable if you want to work towards compliance with the GDPR.

• Consider the personal data that your organisation holds and review whether your IT infrastructure is likely to provide adequate protection

• Always keep your systems up to date (but make sure that when you are clicking a link to update software, that link is genuine!)

• Test and challenge your disaster recovery plan – if you are subject to a ransomware attack, how will you retrieve your data and how quickly can you get your business up and running again? Where are your weak points, how can you fix them?

• Consider Cyber Essentials Plus – whilst obtaining Cyber Essentials Plus is not a guarantee of compliance with GDPR, it will certainly help to show that you have considered the risks and have tried to take appropriate steps.


Kerry specialises in data protection, IT/IP and commercial law. Before entering legal practice, she taught IP and contract law at Swansea University and worked for an award-winning project aimed at protecting the IP rights of small to medium sized enterprises. A member of the Chartered Institute of Arbitrators, Kerry is also a solicitor-advocate with higher rights of audience in both the civil and criminal courts. Kerry has passed the Certified EU General Data Protection Regulation Practitioner qualification awarded by IBITGQ and accredited to ISO 17024.