GDPR, or General Data Protection Regulation is a new piece of EU legislation which becomes compulsory in May 2018, following a two – year implementation period. Despite Brexit, GDPR still has an impact on UK companies. With the triggering of Article 50 set to happen in March 2017, the timings mean that Britain will still experience life under GDPR. Even in a post-Brexit world, any country that offers goods or services, or collects, controls or processes data on EU citizens, must abide by the GDPR rules.
[easy-tweet tweet=”Some companies need to appoint a data protection officer” hashtags=”Data, Storage “]
GDPR – Key details
Businesses are familiar with existing laws, but they may need to make changes to adapt to the new legislation. Here are the key details about GDPR:
- GDPR applies to organisations outside of the EU that either offers goods or services within the EU or hold data on EU citizens
- Some companies need to appoint a data protection officer as part of their accountability programme
- The definition of personal data under GDPR is any information relating to an individual. This includes the obvious such as name, date of birth, as well as the less obvious data such as IP addresses. There is some confusion over what different EU member states consider to be personal data, but the advice is: consider all information relating to an individual as data which must be protected
- Demonstrating compliance will require things like data protection impact assessments, additional paperwork and recordkeeping
- Companies must make it equally easy for a person to give and withdraw their consent for processing and storage of their personal data, and any intent to use data for marketing must be completely transparent. Where companies employ a data controller, they need to demonstrate where consent was given.
- Data controllers (or business owners in companies that don’t employ a data controller) must immediately notify relevant authorities (e.g. ICO) in the event of a breach. Failing to do so within 72 hours incurs a substantial fine
GDPR and data storage
Whether you use the virtual or physical server, rules about data protection are the same. Encryption alone is not enough to prevent a breach. We recommend the following:
– Single sign on where possible to prevent multiple users and passwords
– Alphanumeric passwords
– Encryption of both stored data, and ‘on the move’ or shared data
– Security levels and permissions on sensitive information e.g. HR data
– Multi-factor authentication
– Robust BYOD policies, where devices are automatically wiped of company data if a staff member leaves or their device is stolen, or to restrict company data which can be accessed on the move
The role of IT suppliers
Some businesses might think their IT supplier will be partly or wholly responsible for safe storage of their data, but in reality, it should be a group effort in collecting, storing and protecting it. Often, a data breach is caused by a user error rather than an IT fault, so businesses must address any internal issues and their processes, then work with their IT supplier to make changes.
[easy-tweet tweet=” Auditing all business processes is also an important early step” hashtags=”Storage, Data “]
We recommend that businesses start by evaluating all of the data they collect and do a deep cleanse. Holding onto only the strictly business relevant data will help with compliance. Auditing all business processes is also an important early step, from hiring someone to completing a transaction, the process is likely to involve personal data in some shape or form. Consider how each of these processes could be more secure and work with your IT supplier to address any gaps.
Staff training is essential. If you need to change your IT policies, do it now and make sure employees understand their individual responsibility, as well as how to spot malicious attacks such as ransomware. By complying with company policies, they are protecting their personal data and their job. Some businesses also conduct user behaviour analysis to identify if staff are surfing potentially dangerous sites or mistakenly downloading malicious software.
The best way to ensure compliance and adapt to changing legislation is to work with your IT supplier closely. Share results of the audits and ask for their recommendations. It’s far easier for them to help you protect data if they understand broader company policies and any changes you’re making. In summary, working in partnership with them can help you avoid unwanted fines and protect your business for the future.