As Data Privacy Week begins, we discuss how the intersection of data protection and the need to implement and maintain adequate cybersecurity measures highlights the importance of taking control of your data with robust policies, processes and cybersecurity awareness.

Seven years ago, in 2018, data protection underwent a renaissance. This was entirely due to the implementation of the GDPR legislation enacted by the EU that came into force on May 25 that year. At the time there was major concern regarding compliance among European companies, mainly because of the significant fines of up to €20million ($20.5million) or up to 4% of global turnover for the worst breaches of the new law.

Things are much calmer in 2025, as data protection legislation is now much better understood and adhered to. Although, while some major fines have been issued, the average organisation is now – correctly – of the view that compliance is required but panic is unnecessary. Companies generally have someone responsible for data protection and dealing with the legal requirements. It is generally accepted that data protection lives in the risk or compliance team, rather than directly with the IT or cybersecurity departments.

Many breaches of data protection law are caused by users either making mistakes or maliciously leaking personal data, while others are down to external attacks. Whatever the case, the cybersecurity team’s involvement is essential to the data protection team’s efforts, because the impact of a data breach can depend directly on what we do.

There are two key aspects of data protection to which the cybersecurity team can make a major difference: prevention and damage limitation. The second of these is the area in which cybersecurity and IT teams can make the greatest difference to the data protection team. This is where we will focus.

Basic Factors – The More Common Elements

Major data breaches are, relatively speaking, extremely rare in the average organization. There will, however, generally be a background buzz of data protection and data privacy activity, mostly comprising Data Subject Access Requests (DSARs) and Data Protection Impact Assessments (DPIAs).

DSARs are governed by rules – primarily around the deadline of a month (except in special cases) for production of the requested data. Missing the target date will generally incur displeasure from the authorities and in extreme circumstances may result in a fine from the local information regulator. Except in the largest companies there is no technological reason for a DSAR to take longer than a couple of weeks – so the IT and cybersecurity teams should ensure they have the correct tools to make data retrieval as simple and quick as possible.

As far as DPIAs are concerned, this is all about knowing what data is being held and how long for. Proper control over applications, along with archiving procedures that can be run regularly to remove data that has fallen off the end of the retention period are absolutely essential.

Duty of Care – In Case of a Breach

The penalties that data protection authorities may impose following a significant breach will of course be based on local legislation as well as the quantity and the nature of data affected. It will also be based largely on how they perceive the level of care the organization took in defending the data.

As Article 5.1 (f) of the GDPR puts it: personal data must be “processed in a manner that ensures appropriate security of the personal data.” If it is perceived that sufficient care was not taken, this will influence the magnitude of the punishment. If controls – policies, standards and procedures – are not in place to govern storage and processing of, and access to the data, this will reflect badly during an investigation. Potentially worse is if these controls exist but they are systematically being ignored. As the U.K. Information Commissioner stated in the penalty notice for the British Airways breach cited earlier, “BA failed to process the personal data of its customers in a manner that ensured appropriate security of the data, including: protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures”, citing the very Article – 5.1 (f) – quoted above.

This is where the cybersecurity and IT teams can make the difference. While user education is essential to minimize the level of user-initiated data breaches, user errors are not what upsets the authorities. If we imagine ourselves doing the authorities’ job, what would we look for? Missing procedures, of course, as well as failure to follow those that exist. Also, failure to observe the Principle of Least Privilege; a lack of checks on access to systems (particularly privileged access); poorly defined firewall rules or lack of firewalling; cloud servers or storage areas that are exposed to the internet; a failure to use Multi-Factor Authentication (MFA) for logins from outside.

These are all basic security measures and it is perfectly reasonable, if we have a major data breach, for the authorities to expect us to have had them in place and to punish us hard if we did not do so.

Related Insights