One subject I frequently get asked about at customer meetings, is GDPR. I know this is something that is concerning most business owners currently, so I thought it would be useful to share some information on what GDPR is all about and what key actions businesses need to be taking to ensure compliance.
The new EU general data protection regulation (GDPR) comes in to effect in the May of 2018 and represents the most radical change in data protection legislation in the last 20 years.
Failure to comply will have potentially catastrophic implications for companies, for two reasons:
- For any breach the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
- Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the company concerned highly exposed to brand damage and potential customer pay outs.
So what do businesses need to be doing in order to mitigate the risks?
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:
1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if companies are to avoid the fines of up to €20 million that can be levied for unauthorised access to, or disclosure of, personal information.
3. Invest in and implement the right technologies to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.
4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.
5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection
6. Create a breach notification plan. This is important because If the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your business.
In future blogs I will be exploring these issues in more depth, but if in the meantime you need help with GDPR compliance solutions, please do not hesitate to contact myself or my colleague Andrew Banning on 0208 732 5656. Or email us on firstname.lastname@example.org or email@example.com