GDPR: evolution, not revolution

On the 25th of May 2018 GDPR comes into force throughout the UK and the EU. Worryingly with just 6 months to go, only 40% of UK IT Professionals have started preparing for compliance, and with 15% of them having no plans to prepare before the deadline, the industry is not in an ideal position.

There seems to be lots of confusion around GDPR. Let’s look at who it affects, what it’s for and practical steps you can take to become compliant.

What is GDPR?

In 1998 the Data protection act was passed by parliament to control the way information is handled and to give legal rights to people who have information stored about them.

The act was passed in an era before the birth of Social Media, the evolution of broadband and the adoption of handheld technology. No wonder it’s out of date and unfit for purpose, especially when we consider the level of personal information we share on social media, and the access brands and businesses have to this on a daily basis.

The new regulation is a comprehensive uplift on the 1998 Data Protection Act, and is aimed at harmonising data protection throughout the EU. GDPR places far more emphasis on the individual being able to control their own personal data, ensures that consent is much clearer, and holds companies accountable for the personal data they hold.

Scaremongering and fines for non-compliance

With companies who fail to comply facing fines of £17 million or 4% of their global turnover (whichever is the greatest) it’s no surprise that there’s plenty of scaremongering.
This has been communicated deliberately as a catalyst to encourage compliance, especially for companies who hold large quantities of data.

It’s worth noting that of the 17,300 concluded cases of data breaches in 2016/17 only 16 of those resulted in fines for the organisations concerned.

Whilst the prospects of the fines shouldn’t be ignored, it’s safe to say that the ICO will not be handing out fines haphazardly.

How will it impact my business?

The biggest impact it will have on businesses, particularly those who haven’t yet started working through the compliance process, is time. It’s not a particularly difficult process, but working through the steps and documenting them can often take months. Once achieved though, processes will be in place with clear actions to follow for continual compliance.

5 things you can do now to prepare for GDPR:

1.Know what data you have
Keep up-to-date asset registers and mapping documents of all the data you hold and where it is. Ensure you have data classifications, a documented reason for processing and whether you are the data controller or processor for this piece of information. Aside from GDPR, your intellectual property is also very important, so ensure you also document this.

2.Carry out risk assessments for your data

Once you know exactly what data you hold and where it is, you can start to analyse risk. For example, your most classified data could be accessible to everyone in your organisation, or may be stored in a non-compliant country. Once you know the risks, you can aim to reduce these with the appropriate organisational and technical controls.

3.Review your organisational controls
Data protection in any organisation should be a priority of everyone, from the CEO or MD down! Ensure that your staff are vetted and trained, and are regularly updated on information security and data protection policies for your organisation. It may also be worth reviewing if you need to appoint a Data Protection Officer. You should also review the policies and processes your organisation has in place including incident management, information security and privacy policies and consent forms. Your organisation should also have templates for data protection impact assessments (DPIAs) which are stipulated in the GDPR for when an organisation implements a new form of processing or technology.

4.Review your technical controls
Firewalls, malware protection, encryption, vulnerability assessments, password policies and regular patches are things all organisations should be thinking of. When you implement these controls, you should be thinking of these as underpinning your organisational controls with them. Depending on the nature of your business and the data you hold, your organisation may need to invest in more advanced or bespoke technology as the GDPR puts an emphasis on implementing state of the art security. Now is the time to review this and get the correct controls in place.

5.Consider critical data and cyber insurance
Even the most well-defended organisations in the world suffer data breaches! If the worst does happen, you may need to call in some help straight away. There are some fantastic aftercare insurance products on the market which will help your organisation recover swiftly from a damaging cyber-attack or data breach. This could include cyber forensics, public relations or covering the costs of downtime. Credit rating monitoring for you and your customers can also be implemented to ensure that stolen data is not being used for criminal financial purposes.

What can we do to help?

GDPR can sound daunting. At Surrey IT, our consultants will hold your hand through the process. You’ll have to do the heavy lifting, but our consultants will help you every step of the way and take the hard work out of compliance.

Once again, GDPR is not complicated but it does take time.