What is GDPR?
In 1998 the Data protection act was passed by parliament to control the way information is handled and to give legal rights to people who have information stored about them.
The act was passed in an era before the birth of Social Media, the evolution of broadband and the adoption of handheld technology. No wonder it’s out of date and unfit for purpose, especially when we consider the level of personal information we share on social media, and the access brands and businesses have to this on a daily basis.
The new regulation is a comprehensive uplift on the 1998 Data Protection Act, and is aimed at harmonising data protection throughout the EU. GDPR places far more emphasis on the individual being able to control their own personal data, ensures that consent is much clearer, and holds companies accountable for the personal data they hold.
GDPR readiness assessment
The GDPR places a number of responsibilities on companies who control and process personal data including:
Putting organisational and technical measures in place to demonstrate compliance.
Making data protection and information security a board-level issue.
Implementing robust and “state-of-the-art” cybersecurity solutions and reviews.
A focus on transparency and consent as a basis for collecting and processing personal data.
Providing enhanced rights for data subjects, including the right to be forgotten.
More stringent rules around detecting and communicating data breaches to both individuals and the authorities.
What you can do to prepare
Organisations who hold personal data should be preparing for GDPR now. Some of the processes, schemes and standards to implement in preparation include:
Risk and impact assessments for data protection.
The government-backed Cyber Essentials scheme.
Standards such as ISO27001 or IASME governance.
Recruitment and training of personnel in preparation for GDPR.
Audits of existing data; where it is held and who owns it.
Review of previous consent to see if fresh consent is required under GDPR.
Updating of privacy policies and online contact forms to comply with the regulation.
What we can do to help
Alongside our Cyber Essentials and IASME Governance assessments, we can also assess your organisation for GDPR readiness. We offer a range of consultancy and technical services to ensure the confidentiality, integrity and availability of your data, and to help you prepare for the forthcoming changes in data protection law.
GDPR can sound daunting. Our consultants will hold your hand through the process. You’ll have to do the heavy lifting, but our consultants will help you every step of the way and take the hard work out of compliance.
Steps to take now
Know what data you have
Keep up-to-date asset registers and mapping documents of all the data you hold and where it is. Ensure you have data classifications, a documented reason for processing and whether you are the data controller or processor for this piece of information. Aside from GDPR, your intellectual property is also very important, so ensure you also document this.
Carry out risk assessments for your data
Once you know exactly what data you hold and where it is, you can start to analyse risk. For example, your most classified data could be accessible to everyone in your organisation, or may be stored in a non-compliant country. Once you know the risks, you can aim to reduce these with the appropriate organisational and technical controls.
Review your organisational controls
Data protection in any organisation should be a priority of everyone, from the CEO or MD down. Ensure that your staff are vetted and trained, and are regularly updated on information security and data protection policies for your organisation. It may also be worth reviewing if you need to appoint a Data Protection Officer. You should also review the policies and processes your organisation has in place including incident management, information security, and privacy policies and consent forms. Your organisation should also have templates for Data Protection impact assessments (DPIAs) which are stipulated in the GDPR for when an organisation implements a new form of processing or technology.
Review your technical controls
Firewalls, malware protection, encryption, vulnerability assessments, password policies and regular patches are things all organisations should be thinking of. When you implement the above, they should underpin your organisational controls. Depending on the nature of your business and the data you hold, your organisation may need to invest in more advanced or bespoke technology as the GDPR puts an emphasis on implementing state of the art security.
Consider critical data and cyber insurance
Even the most well-defended organisations in the world suffer data breaches! If the worst does happen, you may need to call in some help straight away. There are some fantastic aftercare insurance products on the market which will help your organisation recover swiftly from a damaging cyberattack or data breach. This could include cyber forensics, public relations or covering the costs of downtime. Credit rating monitoring for you and your customers can also be implemented to ensure that stolen data is not being used for criminal financial purposes.