Privacy advocates in Britain welcomed a new regulation that has been grabbing headlines over the last month: GDPR. This EU vision in an acronym, the General Data Protection Regulation (GDPR), requires that internet users opt-in to allow service providers and marketers to contact them by email beyond 25 May. It is expected to remain in place after Brexit. Most of the law’s provisions were also echoed in the Data Protection Act 2018, implemented by the UK government two days earlier.  Under the new guidelines, businesses are likely to bear more than a drop in (possibly reluctant) readership: under GDPR, they have just 72 hours to disclose a digital breach and face its fallout for their reputations.

Apart from public opinion, discovering a hack can be technically challenging: on average, it takes companies six months to realise they’ve had a breach. Add to this the increasing sophistication of state-sponsored and non-state cyber attacks, and companies may find themselves caught short in their plans for security and compliance. In the last two years, hackers have used recent innovations such as crypto ransomware to take companies and institutions temporarily hostage, including electric grids, metro systems, and, notably in the UK, the NHS. 

Further afield, the experience of Ukraine’s deluge of digital onslaughts by Russia-backed hackers suggests that governments and companies alike will struggle to fend off attacks and report them, for some time to come.  British companies operating under the aegis of GDPR now have an additional dynamic to consider in their strategies for digital security. They might take comfort in turning to Calm, a meditation app, which has repurposed the least scintillating sections of GDPR and turned them into a grown-up bedtime story read by BBC presenter Peter Jefferson. With hackers in Russia, China and North Korea closing the technical talent gap, however, it will be tough to sleep easily.