The General Data Protection Regulation (GDPR) enforcement date is only a month away, yet research has shown that many businesses are still unprepared for the biggest changes in data protection laws since the 1990s.
According to a Populus survey carried out at the beginning of the year, 60% of respondents state they are not “GDPR ready” only months before the compliance deadline. Despite the fact that huge fines of €20million or 4% of global turnover – whichever is higher – have dominated headlines, only 35% of businesses are aware of the most severe fines.
It’s not too late, however, to put measures in place ahead of the impending GDPR legislation 25th May deadline. As an IT company with extensive experience in cyber-security, TSG has been helping businesses across the UK use technology to support GDPR compliance. Here are our top 10 tips for complying with GDPR.
1. Security is paramount
As we’ve detailed in our GDPR webinar series, if there’s one thing you should do ahead of GDPR, it’s put in place measures to protect the Personally Identifiable Information (PII) your business holds. Data breaches and other cyber-attacks were so prolific in 2017 that it was dubbed ‘the year of the cyber-attack’. What’s more, Heimdal Security researchers have concluded that hackers will target your data with more ferocity than ever under GDPR. Cyber-criminals could hold you to ransom and extort money in order to keep the data breach a secret from GDPR enforcer the Information Commissioner’s Office (ICO) who, they’ll insist, will punish you with severe fines.
There are many sophisticated cyber-security solutions that can protect your data, and it’s important to take a multi-layered approach. Should hackers get past your first line of defence, you still have protection in place. In terms of which security measures you should prioritise…
2. Encryption is king
Not only is encryption one of the most effective ways of protecting your GDPR-sensitive data, it’s explicitly mentioned in the regulation. When the ICO throws you a bone like this, you should take it. As detailed in the regulation, encryption technologies “render the data unintelligible to any person who is not authorised to access it”.
Sophisticated encryption technologies won’t disrupt regular work practices, so users who have access to files will be able to open and work on them as usual. Encryption can be enacted at a file, folder or device level so you can choose the level of security applied. Should an unauthorised user try to access your data – be it a hacker or an innocent bystander in the event of accidental data disclosure – it will be unreadable and inaccessible. This protects you in cases of cyber-attacks and accidental or malicious disclosure by staff. And speaking of staff…
3. Your staff is a weak link
When you think of data breaches, you probably think of hackers and cyber-attacks. However, 30% of all data breaches are down to employee error according to data from Beazley. What’s more, when your business falls victim to a cyber-attack, there’s a 90% chance that there was an employee error somewhere down the line – whether that’s losing a device or clicking on a malicious email link and unknowingly infecting your IT estate with malware like Ransomware.
Your employees are both your first and final line of defence in keeping the PII data you hold safe. Education is absolutely critical to ensure your workforce is aware of the risks associated with data. You can do this in a number of ways, from mandatory training to simulated phishing attacks, whereby you create a realistic-looking but fake email and test how well your staff can spot email-borne threats. If a member of staff falls for the attack, they are directed to training to ensure it doesn’t happen again.
4. Control removable devices
As detailed above, there’s a huge risk attached to removable devices like USB sticks and mass-storage devices. Bring Your Own Device (BYOD) policies and the increasing number of portable devices afforded to staff members (all colleagues at TSG work on laptops rather than desktop PCs) increase the risk of lost or stolen devices.
At TSG, we’re in the process of implementing a removable storage policy which follows best practice guidelines around portable devices. Personal storage devices are not permitted, and any removable device must be both registered on our Asset Register and encrypted. This allows us to track all devices should one be lost or stolen, and follow’s the GDPR guidelines of encryption.
5. Review your policies and procedures
A removable storage policy is just one policy that you should be looking at. The GDPR explicitly outlines that data controllers – those whom “determine the purposes and means of processing personal data” – must review and put in place policies that safeguard sensitive data. This could include your privacy policy, data protection policy, employee contracts and more.
This task should be the primary, but not necessarily sole, responsibility of your Data Protection Officer (DPO), a key role outlined in the GDPR.
6. Appoint a Data Protection Officer
The role of the Data Protection Officer (DPO) is a key element of the GDPR, but whether or not it’s a legal requirement has been a source of confusion. The most important element is that you should appoint a DPO in some capacity, but it does not necessarily need to be a new hire, which will be a relief to small business owners.
The responsibilities of the DPO, who is essentially the person in charge of GDPR at a business, can be assigned to an existing staff member if it fits in with their job role. Additionally, the role can be part-time, outsourced or shared with another business if there isn’t the budget or – more importantly – the requirement for a full-time DPO.
The Article 29 Data Protection Working Party has advised businesses to assume they require a DPO unless they can prove otherwise.
7. Some action is more important than no action
If you’re only starting to think about GDPR now, this is the most important piece of information you should consider. The GDPR requires businesses to put in place “appropriate measures” to secure the PII data that they hold. Data breaches could still occur even if you put in place the most robust security solutions available, because hackers are getting cleverer and more sophisticated. The ICO won’t punish every business that experiences a data breach.
What you’re more likely to get penalised for is not taking any action. If your business experiences a data breach – deliberate or accidental – you must report it to the ICO and prove that you put those “appropriate measures” in place; that is more important to the ICO.
8. The highest fines are unlikely to be implemented
The headline fines of €20million or 4% of global turnover have sent business owners, particularly small business owners, into a frenzy. And while it’s true that the ICO will have the power to impose these fines, the Commissioner has already stated that business will not be used as an example. It’s only in the most severe cases, with multiple serious breaches, that the ICO would consider the highest penalties.
9. Reporting requirements
Businesses must report breaches to the ICO within 72 hours of discovering the breach. Missing this deadline can be considered a bigger breach of the regulation than the data leak itself. A number of high-profile businesses have done this recently; this year it was revealed that the 2017 Equifax data breach wasn’t disclosed to the relevant authorities for months, and the full extent of the breach wasn’t revealed until January 2018.
In cases where the personal data leaked poses a risk to the victims, such as financial fraud or a risk to their “rights in freedoms”, you’ll also be required to inform those whose data has been compromised. The GDPR also requires you to have “breach detection, investigation and internal reporting procedures” in place. Technologies that have inbuilt root cause analysis can help you understand how your systems were compromised, provide the information to the ICO and take further preventative measures to ensure it doesn’t happen again.
10. Don’t cover up breaches
Failing to inform the ICO within the required timeframe is a significant breach of the GDPR, but an even bigger breach is covering it up entirely. As detailed above, hackers will use GDPR as leverage to extort money out of businesses; it’s easy to see why paying hundreds of thousands of pounds to the hackers to return your data and remain silent is more appealing than fines that could reach the millions, but this is the thing that could land you in hot water.
Uber’s now-infamous data breach that occurred in 2016 and became public in 2017 is the perfect example of what not to do under GDPR. Uber is currently under investigation from UK, US and Philippine authorities, and according to a number of GDPR experts, Uber would face the most severe penalties had GDPR been in place at the time.
Article brought to you by UK based IT support company, Technology Services Group.