On 25 May 2018, the General Data Protection Regulation (GDPR) will be introduced. It has been designed with personal data in mind, and means that organisations will have to be more transparent in terms of the data they hold, how they use it and, crucially, the security of that data.
Under GDPR any data breach that is likely to risk people’s rights or freedoms must be reported to the Information Commissioner's Office within 72 hours of discovery, and the most serious data breaches can result in a fine of up to 4% of annual revenue or €20m, whatever is the largest.
There is of course much hype and scaremongering about GDPR, but with a clear plan it should be an evolution of your data security strategy and not a scary standing start from scratch.
A key thing to note is that GDPR isn’t just about marketing data; it concerns employee data, internal data, and every type of personal data your company stores. This means all the data you hold, why you have it, how it’s measured and mapped, how long you plan on keeping it and how you dispose of it.
GDPR puts the ownership of the data ultimately back into the hands of the individual. Meaning that clear consent must be given, and that data may only be used for the original purpose it was gathered. Therefore, GDPR has significant implications in many areas where you may not expect it to: tracking cookies, ticked opt in boxes and mailing list auto enrolment to name just three.
With the stakes so high and the fines so large it is unwise to assume that the data you hold is not relevant or that GDPR will not apply to you.
Preventing a breach
When people think of a data breach they often envisage a sophisticated and targeted attack performed by hackers: an attack which gains access to confidential and sensitive company information for criminal financial gain. Whilst this perception may be true in certain cases, for the majority it’s not.
In most cases the way in lies through simple mistakes such as unpatched operating systems, poor password security, vulnerable services or through company employees clicking on infected phishing emails.
With simple cybersecurity measures many of these breaches could be prevented, however we continue to see relativity unsophisticated and opportunist attacks being successful. A security mindset must be adopted, one where software patches are regularly scheduled, connected devices are fully secure, and employees are regularly educated on the importance of strong passwords and what to look out for when it comes to suspicious emails.
It’s down to organisations to ensure that cybersecurity remains a company-wide priority, one that’s seen to be led by the CEO/Board and trickles all the way across the company. GDPR is not a technical issue, it is ultimately a business continuity issue.
Preparing your business for GDPR
To comply with the new regulations, it’s essential that companies are not only improving their security posture but are also reviewing their reporting procedures and conducting data audits. GDPR, and the proposed new UK Data Protection Act to make the UK GDPR compliant, mandates “security by design” in newly developed systems and firms up the definition of “sufficient technical measures” that companies must take to protect data, adding a requirement to keep up to date with changing trends and techniques used in attacks.
As a cybersecurity firm we know the potential consequences of security inaction and our expert team of consultants work with clients to ensure they continue to be as protected as possible. However, for many other companies the thought of improving cybersecurity, or even knowing where to start, can be a daunting prospect.
To help organisations understand the implications, we teamed up with Lloyd's Register, Soitron, UKFast and NDC Management to put together a GDPR Security Seminar in Manchester.
Your roadmap to GDPR compliance
The goal of our event was simple: to provide businesses with a roadmap for compliance, focussing on three core areas: technology, people, and process.
With a clear plan, GDPR doesn't have to be daunting. In fact, with the right approach and support, companies can use the requirements laid down by the new legislation to promote privacy and security. This could bring business benefits far beyond just compliance.
Need further GDPR help and advice?
As you can see GDPR and cybersecurity go hand in hand, and our Security Seminar is the perfct place to get the practical advice your company needs to become GDPR compliant. But what if you need more specific advice for your organisation? We can help.
Our GDPR Preparedness Workshops are designed with you in mind. Aiming to provide you with a deeper understanding of the technical aspects associated with one of the most significant compliance changes in years.
To find out more about our upcoming workshops, or any of our services, visit our website by clicking the button below.