We’ve all read the horror stories about companies losing data. In fact, security breaches of this nature are becoming an increasingly familiar news story. Our data is now a high-value commodity to those unscrupulous, shadowy criminals who seek to prosper from stealing our information.
So, what is being done to combat this and protect us? How do we instil confidence that, in an age where our identity is stored digitally, we can stay safe?
Part of the answer is GDPR, or the General Data Protection Regulation to be precise.
GDPR is a new set of regulations set out by the EU that demands we take greater care of our clients’ data. It lays out a structure of accountability around the storage and accessibility of any data that may personally identify an individual. The regulations, while set out by the EU, will apply to any company that wishes to do business with EU citizens, and thus affects the majority of us globally.
One of the more significant changes are the financial penalties associated with non-compliance, which can be as high as 4% of revenue! When combined with the fact that data protection authorities in each respective country will have greater powers to both audit and impose fines, this is a change that demands attention.
GDPR requires you to ensure the confidentiality, integrity, and security of your processing systems. Put simply; you should have security controls in place that can prevent and detect potential breaches of data.
GDPR is a long-term solution, so it isn’t a one-off task to get your house in order. Instead, you need to demonstrate that you continually monitor sensitive data to identify any vulnerabilities. For many of us, this is a departure from the current perception that this sits with the ‘IT person’. GDPR is a cultural change in attitude towards the importance we place on security, which requires awareness and buy-in from the whole business, including, and most importantly, from those in senior positions.
GDPR has crept into the collective consciousness over the last 12 months, with the noise around this change getting ever louder as we approach the adoption date of May 2018. Despite this, many are still unsure how, or if, they should address the issue at all. And, no doubt there will be panicked conversations in boardrooms up and down the country come this time next year.
So, in real terms, what can and what should you do?
When the data protection authority look at your processes, they are reviewing whether you have appropriate measures in place to comply. Questions they will ask are:
- Is the data you keep secured appropriately?
- Have you done all you can to keep your systems secure?
- Can you access and provide customer data if requested?
- Do you obtain consent to store data?
- Do you have access control measures in place to ensure only those necessary can get to the data?
- Would you be able to identify and report a data security breach in a timely manner?
As a business, you need to understand both the questions and more importantly, the answers to all these points.
As always, the most important element of compliance will be your staff. Effective and regular training will always give you the best protection. The GDPR regulations recommend that all businesses, regardless of size, appoint a Data Protection Officer to provide guidance and monitoring. Your systems also need to reflect the requirements of GDPR, working with a responsible supplier who understands the regulations and your obligations is essential to remove the stress and confusion. With many organisations working with or considering ‘the cloud’, an outsourced, secure infrastructure will look increasingly attractive, so it’s vital you work with suppliers who follow industry standards such as ISO27001.
GDPR may feel to some, like more ‘banana straightening’ by the EU, but it’s here to stay and will benefit us all by forcing companies to take data security more seriously. The key is, use the next 12 months to prepare, don’t be an ostrich!