On 25 May 2018, the General Data Protection Regulation (GDPR) will be introduced. It has been designed with personal data in mind, and means that organisations will have to be more transparent in terms of the data they hold, how they use it and, crucially, the security of that data.
Under GDPR any data breach that is likely to risk people’s rights or freedoms must be reported to the Information Commissioner's Office within 72 hours of discovery, and the most serious data breaches can result in a fine of up to 4% of annual revenue or €20m, whatever is the largest.
There is of course much hype and scaremongering about GDPR, but with a clear plan it should be an evolution of your data security strategy and not a scary standing start from scratch.
A key thing to note is that GDPR isn’t just about marketing data; it concerns employee data, internal data, and every type of personal data your company stores. This means all the data you hold, why you have it, how it’s measured and mapped, how long you plan on keeping it and how you dispose of it.
GDPR puts the ownership of the data ultimately back into the hands of the individual. Meaning that clear consent must be given, and that data may only be used for the original purpose it was gathered. Therefore, GDPR has significant implications in many areas where you may not expect it to: tracking cookies, ticked opt in boxes and mailing list auto enrolment to name just three.
With the stakes so high and the fines so large it is unwise to assume that the data you hold is not relevant or that GDPR will not apply to you.
Preventing a breach
When people think of a data breach they often envisage a sophisticated and targeted attack performed by hackers: an attack which gains access to confidential and sensitive company information for criminal financial gain. Whilst this perception may be true in certain cases, for the majority it’s not.
In most cases the way in lies through simple mistakes such as unpatched operating systems, poor password security, vulnerable services or through company employees clicking on infected phishing emails.
With simple cybersecurity measures many of these breaches could be prevented, however we continue to see relativity unsophisticated and opportunist attacks being successful. A security mindset must be adopted, one where software patches are regularly scheduled, connected devices are fully secure, and employees are regularly educated on the importance of strong passwords and what to look out for when it comes to suspicious emails.
It’s down to organisations to ensure that cybersecurity remains a company-wide priority, one that’s seen to be led by the CEO/Board and trickles all the way across the company. GDPR is not a technical issue, it is ultimately a business continuity issue.
Preparing your business for GDPR
To comply with the new regulations, it’s essential that companies are not only improving their security posture but are also reviewing their reporting procedures and conducting data audits. GDPR, and the proposed new UK Data Protection Act to make the UK GDPR compliant, mandates “security by design” in newly developed systems and firms up the definition of “sufficient technical measures” that companies must take to protect data, adding a requirement to keep up to date with changing trends and techniques used in attacks.
As a cybersecurity firm we know the potential consequences of security inaction and our expert team of consultants work with clients to ensure they continue to be as protected as possible. However, for many other companies the thought of improving cybersecurity, or even knowing where to start, can be a daunting prospect.
To help organisations understand the implications, we’ve teamed up with Lloyd's Register, Soitron, UKFast and NDC Management to run a half-day GDPR Security Seminar in Manchester (1st Feb).
What to expect from our GDPR seminar
The goal of the seminar is simple: to provide businesses with a roadmap for compliance, focussing on three core areas: technology, people, and process.
Our event will contain seven 30-minute sessions that outline how companies can know their data, assess their current state and requirements, and then build a programme that can be tested, operated and maintained.
With a clear plan, GDPR doesn't have to be daunting. In fact, with the right approach and support, companies can use the requirements laid down by the new legislation to promote privacy and security. This could bring business benefits far beyond just compliance.
GDPR and cybersecurity
A core part of the seminars will focus on GDPR and cybersecurity, delivered by Secarma Head of Education, Paul Mason. This part drills deeper into:
- An overview of the threat landscape
- Recent breaches and their implications
- The value of testing systems
- Examples of common pitfalls and findings
- Active steps to protect systems and users
The seminar takes place at our Manchester campus on 1 February 2018 and you can register your place via the Eventbrite form below. We hope to see you there.