Many businesses still haven’t heard of GDPR (General Data Protection Regulation), recent research suggests. If you, like many, haven’t heard of this new legislation you can bet that over the course of the year, as we edge closer to the 25th May 2018 when the law comes into play, noise around the importance of this data regulation will grow, and you will need to make some changes to ensure you’re ready for the big day.
Try the GDPR Assessment tool - Are you ready?
What is GDPR?
The amount of data collected and utilised by businesses, particularly customer data, has increased exponentially year on year, and is increasingly relied upon to help deliver core business objectives.
However, data legislation has not kept up with this explosion of data collection with most data protection laws not being updated since the turn of the century (or since the Spice Girls were riding high in the charts). 2016 saw a record number of breaches with a 40% increase compared to the year before. The biggest breaches included; Seagate, LinkedIn, Three Mobile, Tesco Banks and TalkTalk.
So, the European parliament, council and commission have come together to strengthen data protection for all individuals in the EU. This legislation gives EU citizens more control over how their data is used and gives them the “right to be forgotten”, meaning they have the right to withdraw their consent to businesses storing their data.
From May 2018, all EU companies will need to have a strong data protection policy that protects client data. If companies fail to meet this standard they could face fines of up to 4% of their turnover. To put this into perspective, if the GDPR was in operation during Tesco Bank’s breach they would have faced a whopping fine of £1.9 billion.
But what about Brexit… we won’t be part of the EU?
Britain’s decision to leave the EU is not a get out clause for GDPR. Firstly, come May 2018 the UK will still be part of the EU. Secondly, and more importantly, Britain must comply with the GDPR legislation when operating within the EU. These factors, plus the heavy part Britain played in creating the legislation make the choice to comply with GDPR a no brainer.
Matt Hancock, The Minister of Digital and Culture stated the GDPR would be implemented within the UK because it is “decent piece of legislation due to significant UK negotiating successes during its development”.
What do you need to do?
Despite there being a plethora of web space dedicated to the GDPR, there is still a high amount of uncertainty about how to plan for it. However, many companies are already taking steps to their data security, with some ensuring the data they have will remain safe whilst others making the necessary adjustments to their security policies so they are water tight come 2018.
What we do know is …the worst thing you can do is nothing. Playing ignorant and assuming you are immune from a data breach will lead to greater consequences. Companies need to do due diligence with their policies to ensure data remains safe.
To prepare for 2018 businesses should focus their efforts on; storage, governance, response and recovery.
Can we help? Register for a free cyber security assessment today
With an increasing number of organisations storing data on the cloud, how data is stored is a core focus for this new legislation. By storing data on the cloud, companies are handing over the control of how the data is stored, protected, and accessed. With little visibility of how these actions are carried out, organisations are putting a lot of trust into their service providers. However, come May 2018 if companies are unable to answer questions like, where is your data stored? Who accesses this data? And, how is it protected? They will face hefty fines, as this will no longer be the responsibility of the storage providers.
One of the most painful areas of the GDPR to businesses will be that customers and ISO authorities can ask for a data audit trail at any time. This means companies will need to create and keep records of when the data was retrieved, who gave the permission for the data to be stored, who has accessed the data and each point the data was shared. This means that all companies, no matter the size, will need to have systems that are robust enough to keep up with these data demands.
Designed by Freepik
If a company’s data is compromised and customers’ details become vulnerable, the focus will be on how the company responds. In the past companies have been known to sweep security breaches under the carpet, but this will be no longer acceptable. Protecting customers’ data will become a crucial part of this new legislation. The speed of which the breach is identified and reported will become a key part of the GDPR – with rumours of organisations needing to report the breach within 72 hours of discovery.
Once a breach has happened, communication with the authorities will be ongoing; companies will no longer be able to take a laissez-faire attitude to dealing with the breach. All lost data will need to be managed appropriately and those whose data has been made vulnerable to be kept regularly informed.
Ultimately, what happens to the data companies’ store is now their responsibility.
Although GDPR is going to cause headaches for many organisations, and will cause a great deal of disruption, companies need to take this as a positive. New data legislation is long overdue – there needs to be a stricter focus on how companies approach data protection, allowing organisations to see the real repercussions of a data breach.
If you have security concerns talk to one of experts today or register for your free cyber security assesment