Managers have just weeks until sweeping new data protection rules come in, and they should seize the opportunity to create a competitive advantage.
That’s the message from a leading cyber security company ahead of GDPR, which is due to come into force on 25 May 2018.
Amethyst – which advises big private and public sector clients – says organisations should already be developing a security aware culture where every member of staff understands the rules about protecting personal data. Instead of being driven by the fear of breaching the regulations, businesses should see compliance as a way to set themselves apart from their non-compliant competitors, the company says.
Managing Director Steve Howe explained: “It is true that failing to protect data puts you at risk of prosecution and potentially enormous fines, not to mention reputational damage and lost sales, but we are encouraging businesses to focus on how they can use the compliance process to show customers they take protecting private data very seriously.”
Amethyst is advising organisations to work towards achieving the information security standard ISO 27001, which it says will likely address the core principles and rules of GDPR with good cyber security.
Mr Howe said: “In future, we think businesses with the accreditation will be sought out by consumers and business customers while those without it will be eliminated from selection procedures, as happened with the quality management standard ISO 9001.”
Under the new rules, the Information Commissioner has the power to fine firms up to 20 million euros or four per cent of global turnover for a serious breach. If a member of the public or an employee complains that their data has been compromised, there may no longer even be a need for him or her to prove any damage or distress. Simply failing to take reasonable care of an individuals’ data could be enough for a possible prosecution.
Mr Howe added: “The Information Commissioner’s Office has indicated it wants to work with businesses to roll out a culture of data protection, rather than bully them into complying. However, there have been suggestions in some quarters that the ICO will want to make an example of one or two organisations early on to heighten awareness of the issue. Either way, businesses should be alive to the risks and opportunities, and if they are not doing so already, they should be making plans to be GDPR ready before next spring.”
That includes appointing a ‘controller’ separate from management to be responsible for meeting GDPR principles and able to demonstrate the organisation’s compliance.
GDPR is designed to harmonise regulations across the EU, driven by Germany’s vigorous support for data protection, and Mr Howe said Brexit could have an impact: “There is some question about how exactly GDPR will apply in the UK after leaving the EU, but the government has confirmed the regulations will definitely come into force. With fines levied in euros and a potentially weak pound, there is also the risk that the pain will be worse for any UK firms who are prosecuted.”
Amethyst has distilled the principles and rules of GDPR into six key points:
- Know what personal data you have and why you have it
- -Manage personal data in a structured way
- Know who is responsible
- Encrypt, pseudonymise or anonymise what you don’t want to be disclosed, lost or breached
- Design a security aware culture into the organisation and all staff
- Be prepared: Plan for the worst case scenario