GDPR comes into force throughout the UK and the rest of the EU on 25th May 2018. There’s less than three months to go and businesses are still unprepared. Worryingly, 15% of UK IT Professionals have no plans to prepare for GDPR before the ever-encroaching deadline hits, which is not ideal.
There’s lots of confusion around GDPR: what it means, who it affects, etc. This blog will clear up any confusion whilst laying out some practical steps you can follow to help you towards being compliant.
What is GDPR?
Parliament passed our current Data Protection Act in 1998 to control how information was handled and to give legal rights to those that have information stored about them.
1998 was a time before the adoption of handheld technology, before the evolution of broadband, and before the birth of social media. All things considered, it’s no wonder it needs updating, especially when we think about the huge amount of personal information we post of social media and the access businesses have to this on a daily basis.
GDPR is a comprehensive uplift on the Data Protection Act of 1998. Its aim is to harmonise data protection throughout the EU. In comparison to the current Data Protection Act, GDPR will hold companies accountable for the data they hold, will ensure that consent is clearer, and will place far more emphasis on the individual controlling their own personal data.
Fines and scaremongering
Companies who fail to comply with GDPR could face fines of £17 million or 4% of their global turnover (whichever is greater). It's important to realise that whilst the fines have caused plenty of scaremongering, they’ve been communicated deliberately to encourage compliance, particularly for companies that hold huge amounts of personal data.
Whilst the possibility of being fined shouldn’t be ignored, history states that the ICO will not be handing fines out haphazardly. Of the 17,300 concluded data breach cases in 2016/17, only 16 resulted in fines for the organisations concerned, with the ICO yet to hand out the maximum £500,000 fine.
How will it impact my business?
Undoubtedly, the biggest impact will be time. Achieving GDPR compliance is not difficult, but it is time consuming; working through and documenting the steps can take months. However, once you’ve achieved GDPR and have the necessary processes in place, it takes minimal effort to maintain compliance. At Risc IT Solutions, we offer a GDPR consultancy service to help you achieve compliance. Our consultants won’t do it for you, but they will hold your hand through the process and take the hard work out of compliance. Here are 5 steps you can do now to prepare.
5 things you can do now to prepare for GDPR:
1. Know what data you have
Keep up-to-date asset registers and mapping documents of all the data you hold and where it is. Ensure you have data classifications, a documented reason for processing, and whether you are the data controller or processor for this piece of information. Aside from GDPR, your intellectual property is also very important, so ensure you also document this.
2. Carry out risk assessments for your data
Once you know exactly what data you hold and where it is, you can start to analyse risk. For example, your most classified data could be accessible to everyone in your organisation or may be stored in a non-compliant country. Once you know the risks, you can aim to reduce these with the appropriate organisational and technical controls.
3. Review your organisational controls
Data protection in any organisation should be a priority of everyone, from the CEO or MD down! Ensure that your staff are vetted and trained, and are regularly updated on information security and data protection policies for your organisation. It may also be worth reviewing if you need to appoint a Data Protection Officer. You should also review the policies and processes your organisation has in place including incident management, information security and privacy policies, and consent forms. Your organisation should also have templates for data protection impact assessments (DPIAs) which are stipulated in the GDPR for when an organisation implements a new form of processing or technology.
4. Review your technical controls
Firewalls, malware protection, encryption, vulnerability assessments, password policies and regular patches are things all organisations should be thinking of. When you implement these controls, you should be thinking of these as underpinning your organisational controls with them. Depending on the nature of your business and the data you hold, your organisation may need to invest in more advanced or bespoke technology as the GDPR puts an emphasis on implementing state of the art security. Now is the time to review this and get the correct controls in place.
5. Consider critical data and cyber insurance
Even the most well-defended organisations in the world suffer data breaches! If the worst does happen, you may need to call in some help straight away. There are some fantastic aftercare insurance products on the market which will help your organisation recover swiftly from a damaging cyber-attack or data breach. This could include cyber forensics, public relations or covering the costs of downtime. Credit rating monitoring for you and your customers can also be implemented to ensure that stolen data is not being used for criminal financial purposes.