9 essential cyber-security measures every business needs

essential cyber-security measures for businesses

What are the essential cyber-security measures every business needs?

In today’s digital era, advancements in technology are happening very rapidly. Therefore our defence systems against very real cyber-security threats must keep pace. If the correct measures aren’t taken, your business might be more at risk than you think. Here are 9 essential cyber-security measures your business can take.

Are you relying on the same security basics you were a few years ago?

It’s easy for time to pass unnoticed while all these advancements happen around us. Before you know it, you’re relying on the same old security basics to protect your business as you were a few years ago – firewalls, antivirus and intrusion detection software. Most people update their mobile phone software more frequently than that. So here are our 9 recommendations on how to keep your company more secure.

Why is it so important?

The truth is, we all feel impervious to cyber-crime and security breaches. It’s just something that happens to other people – until one day it’s not. Even if a direct financial attack is not a concern for a business because that’s locked down, many people are unaware of the intrinsic value of the data their business holds in today’s world.

Hackers aren’t just after your bank accounts.

Cyber-crime is now an industry that produces over £1 trillion in revenue for cyber-criminals. Ransomware can be used to encrypt a company’s files and hold them for ransom. Network penetration can enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power. Money can even be gained by using social engineering to persuade employees to transfer cash to a fake bank account.

9 steps to combatting cyber-threats

1. A Unified Threat Management (UTM) system

A UTM system is a combination of security appliances and acts as your gateway to the internet.

2. A SPAM filter

A Spam Filter tops potentially malicious files from entering your network via email.

3. Antivirus/anti-malware software

Antivirus and Anti-malware are applications that protect your servers, laptops and other devices from malware.

4. A patch management system

A Patch Management System manages the installation of software updates to close security holes.

5. 2-Factor authentication

2-Factor Authentication gives you a second level of security, preventing unauthorised sign-ins.

6. Device encryption

Device Encryption makes any data stored on the machine useless to criminals and keeps your data secret.

7. A regular data backup

Regular data backups. You should keep a copy of your business data at a secure off-site location in case the original is lost.

8. Content filtering

Content filtering prevents access to dangerous or illegal websites which reduces the risk of infection.

9. A disaster recovery plan

A Disaster Recovery Plan sets out how you will recover from an unplanned event such as a fire or cyber-attack.

 

Regulatory fines and costly lawsuits sting victims of cyber-crime too.

Keeping businesses cyber-secure is even more important since the implementation of the General Data Protection Regulation (GDPR – tailored by the Data Protection Act 2018). Businesses are responsible for their data leaks or breaches if the correct security protections/protocols have not been put in place. Hefty regulatory fines can be levied, and costly lawsuits can follow for the victims of a cyber-attack or security breach.

All businesses should ideally be looking into taking more than just the bare minimum steps to keeping the company cyber-secure, but it’s at least these 9 steps that start the journey in the right direction. The next step beyond the basics is to become Cyber Essential certified.

Cyber Essentials is a Government-backed Accreditation

Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.

Cyber Essentials still covers fairly basic security concepts, such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already – it can improve your company’s image as well as open you up to working with more cyber-conscious clients.

If you want some help implementing the basics, or would just like some friendly advice, contact our team today.

I’ve already met the security basics, but I want to level up >>

GDPR Compliance: It’s an issue of transparency

The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it’s easy to focus on potential fines or security procedures, many still overlook the heart of the regulation: transparency.

Why GDPR compliance is an issue of transparency

Getting the bigger picture

It goes without saying that transparency is important for data protection and security. With the recent news around Facebook continuing to grab headlines, businesses are under more pressure than ever to present a transparent and secure organisation. However, this focus can sometimes be lost when it comes to the day-to-day.

The issue lies in the siloed approach that some teams take with their data. Establishing a firewall, patching vulnerabilities or encrypting a specific data set can often ignore the wider aim of digital transparency. Even with the long notice period that IT departments have had, GDPR will still throw up numerous challenges in this regard, and these will vary depending on the sector, clients, staff and business size.

Ensuring the business recognises the bigger picture of GDPR can help clarify many of these issues. However, considering the pressures that many security teams are already under, this needs to managed efficiently. If IT teams ask themselves whether decisions will improve the data transparency of the business, they will be better able to determine whether these activities will help them achieve compliance with GDPR.

Being practical with compliance

There are some practical steps that companies can take to ensure the business maintains an awareness of the bigger picture around GDPR and data transparency. In essence, they will require a collaborative effort between IT, senior management and general staff.

Most IT departments will already have addressed the need for improved security, but this does not necessarily imply digital transparency. While you can pseudonymise client data, or otherwise defend it, this may not satisfy GDPR’s “right to be forgotten” requirement.

For example, if the business struggles to easily pull up client information it is in just as precarious a position as if it had out of date firewalls. Back-end systems that can provide a clear overview of individual data sets need to be implemented alongside up to date security processes; the business is otherwise leaving a major element of the regulation unattended.

Thinking beyond IT

There is also the need to think beyond the technology. You will need to build data transparency needs into any client communication as well. Although GDPR can seem to be solely in the realm of IT, other departments also need to comply. The change to consent which requires the creation of an ‘opt-in’ option for data usage, will extend beyond IT. In fact, it will encompass a diverse range of areas from marketing to customer services. Having these groups work together to ensure clear communication is a vital part of compliance.

Additionally, staff need to be aware of external threats and the need to communicate any data breaches rapidly. With only 72 hours to notify the regulator, there can be no delay from the business in this regard. Staff have long been the first line of defence when it comes to flagging an external threat, but under GDPR they will also be responsible for notifying the ICO of any breach.

IT teams can see these factors as a tough challenge, but this is where you need to involve senior management. Leading by example is the easiest way businesses can ensure all teams are working together to ensure GDPR compliance. Ensuring that senior leadership understand and accept this responsibility will help establish a consistent and reliable chain of command.

Thinking beyond regulation

In just over a month, businesses will be tested on their compliance with this huge piece of legislation. While security teams can ensure the technology is up to scratch, there is a need to highlight the importance of compliance at every level. This is not just to appease the regulator, but also to build a future-proofed business.

If all teams can commit to this collaborative approach, the outcome will have lasting effects on the company. The immediate benefits will be legal compliance with the GDPR – through improved security and via communication with colleagues and clients. However, the wider benefit will exist in a business-wide emphasis on transparency. As pressure continues to mount for businesses to display transparency at every level, GDPR – if handled effectively – has the potential to help address this growing trend.

[INFOGRAPHIC] GDPR Quick Facts: What changes are in store

The official start of the EU’s General Data Protection Regulation (GDPR) is now just nine months away. This new regulation has been four years in the making and will standardise and strengthen data protection across the EU. It will also provide individuals with a greater say in how companies can use their data.

Although Britain has begun the process of leaving the EU, UK businesses will still need to prepare for GDPR. This is because this regulation applies to anyone who processes personal data belonging to EU citizen – regardless of whether the business itself has a base in UK.

The implementation of GDPR will result in marked changes to data protection law, including how companies process data, how they obtain consent and how they secure and store that personal data. Below we have outlined 8 key changes GDPR will bring in which businesses should be aware of.

8 quick facts about the GDPR - Upcoming Changes

GDPR for CIOs: Why it’s important and what you need to do

how should cios prepare for gdpr

The 25th of May 2018 was when GDPR came into full force. Designed to standardise data protection measures across Europe GDPR provides individuals with greater rights and establishes a modern framework to which companies need to comply. GDPR applies to any organisation, regardless of whether they are actually based in the EU, if they process the data of EU citizens.

With the GDPR bringing in numerous changes, such as widening the definition of personal data, increasing the rights of individuals and establishing new obligations regarding personal data breaches, complying with the regulation will be no small feat. It is likely that many organisations will need to carry out data audits, review processes and privacy notices, assess their current data protection methods and explore technological solutions to help achieve compliance.

To help your organisation prepare for these upcoming changes we’ve put together a list of key points that CIOs should be aware of:

5 important things CIOs need to be aware of

1. You need to know your data

The first step in your journey to compliance with the GDPR is to know exactly what personal data you hold, where you hold it, who has access to it and how you process it. All organisations will have data across multiple systems such as file shares, Sharepoint, databases, cloud systems and social platforms like Yammer. You may not have even identified some of it yet. With a vast amount of data out there to discover, classify and report on it will be necessary to investigate technology solutions that can assist.

2. “Privacy by Design” is an obligation – not a recommendation

The ICO and other regulatory authorities have long recommended that organisations take a “Privacy by Design” approach, but the GDPR outlines this as an obligation. In the past, privacy controls may have been the last thought, but now they will need to be embedded into every system that handles data right from the very start and throughout the entire lifecycle of the project. The GDPR states that you must “implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities”, to ensure that Personally Identifiable Information (PII) is protected.

As part of this approach by default, you will now have to give consumers maximum privacy protection. They can have the ability to lower this, for example when setting up a social media profile they can reduce the default privacy settings, but the maximum settings have to be the baseline. Achieving these obligations involves enacting measures such as explicit opt-in, safeguards to protect consumer data, restricted sharing, and minimised data collection and retention.

3. You will need to undertake Data Protection Impact Assessments

In line with the “Privacy by Design” obligation, organisations will need to undertake Data Protection Impact Assessments (DPIAs) to ensure they comply with data protection obligations and meet individuals’ expectations of privacy. A DPIA is a risk management tool that allows organisations to identify and fix data protection problems in the early stages of a project before they cause damage – both to individuals and the organisation involved. When carrying a DPIA you should document:

  • What kind of personal information will you collect;
  • how will you collect, process and store that personal information;
  • how and why it can you share it; and
  • how it will you protect it from inappropriate disclosure at each step

According to the GDPR, a DPIA should be carried out where “processing operations are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purpose”.

The Information Commissioner’s Office (ICO) states that organisations must carry out a DPIA when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms.

4. Breach notifications are mandatory

Not only could breaches potentially carry much larger fines once the GDPR is in place, but there are also strict requirements when it comes to reporting such a breach to your supervisory authority and to the individuals affected. If your company suffers a personal data breach that is likely to result in a risk to the rights and freedoms of individuals then you must notify the relevant supervisory authority within 72 hours of discovering the breach, including the following information:

  • The nature of the personal data breach including where possible:
    • the categories and approximate numbers of individuals concerned; and
    • the categories and approximate number of data records concerned
  • The name and contact details of your Data Protection Officer or another contact point
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken to deal with the breach and mitigate any possible effects

A personal data breach that is likely to result in a “high risk” to the rights and freedoms of individuals, requires organisations to notify those concerned directly and “without undue delay”. One example of such a breach could be the loss of customer details which leaves individuals open to identity theft. Failure to notify when required could result in a significant fine of up to €10 million or 2% of your global turnover.

5. You must take a “risk-based” approach

Certain pieces of personal data can be considered more high risk (or more valuable in the eyes of a cybercriminal). As such not all data will need the same level of protection. Not only will organisations need to know their data they will also need to decide how exactly to protect it. This will depend on how you store and process it, and the level of risk it could pose to concerned individuals. When conducting a data audit you may need to move, delete, encrypt or block certain pieces of personal data. The ability to do this proactively, and keep detailed records of your decisions and activities, will be key to compliance.

What next?

Achieving compliance will require a concentrated effort across the whole organisation. Although there is some confusion on who bears responsibility for GDPR, it will likely involve multiple parties. Key people involved could include, the Data Protection Officer, the Chief Data Officer, Chief Information Officer, Chief Information Security Officer and senior leadership from departments such as HR and Marketing. It will depend on your organisation’s structure. The board will also need to understand the implications of the GDPR and why it’s necessary to make changes – which could involve financial outlay.

Even though the UK is planning to leave the EU, organisations will still need to comply with the GDPR when data passes through the EU, even if they have no influence on its direction. Furthermore, the UK plans to continue to apply the regulation by transferring into UK law through a new Data Protection Bill, so waiting to implement GDPR principles within your organisation would not be a wise move.

Do I need a Data Protection Officer to comply with GDPR?

The countdown is on for the official GDPR implementation date as the six-month deadline approaches. Many organisations will be in the process of reviewing the data they hold, where it is stored, how it processed and who has access to it, as well as various other requirements they need to implement before 25th May 2018.

Once such requirement you may have come across is the appointment of a Data Protection Officer. In brief, this is an enterprise level security role designed to help processor and controllers comply with their GDPR requirements. Specifically, Articles 37-39 relate to the DPO’s role and requirements, but does your organisation actually need to appoint one to comply with the new regulation?

Do I need a data protection officer to comply with gdpr

Which organisations need a Data Protection Officer?

Under the GDPR (Article 37), you must appoint a Data Protection Officer (DPO) if:

  • You are a public authority (except courts acting in their judicial capacity); or
  • You are a controller or processor whose core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  • You are a controller or processor whose core activities consist of processing on a large scale or sensitive data or data relating to criminal convictions/offences

The Article 29 Working Party (WP29) has now published additional guidance to clarify the requirements appointing a Data Protection Officer outlined by Article 37.

“Core Activities”

For processing to be considered a core activity it should be part of the key operations to achieve the controller/processor’s objectives which “forms an inextricable part of the controller’s or processor’s activity”. This would not include support activities such as payroll or IT support, which are typically supporting functions

“Large Scale”

Organisations should take into account the following factors when considering whether their processing is “large scale”

  • The number of data subjects concerns;
  • The volume or data or the range of data items;
  • The durations of processing; and
  • The geographical extent of processing

“Regular and Systematic Processing”

This would “include all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”, however it could also include offline activity. According to the WP29 “regular” monitoring means monitoring which is

  • Ongoing/occurring at particular intervals for a particular period;
  • Recurring or repeating at fixed times; or
  • Constantly or periodically taking place

If you are a public authority or your processing activities meet any of the above requirements then it will be mandatory for you to appoint a DPO in order to comply with the GDPR. However, any organisation can appoint a DPO if they wish. For those that decide to so it is important to remember that voluntary DPOs will still be subject to the same requirements and responsibilities as mandatory DPOs.

The Information Commissioner’s Office has further stated that, regardless of whether you are obliged to appoint a DPO, you must ensure that your organisation has “sufficient staff and skills to discharge your obligations under the GDPR”.

The WP29 advises that, unless it’s obvious that your organisation does not require a DPO, you should keep records of your decision-making process on how and why you have decided not to appoint one.

Roles and Responsibilities of a Data Protection Officer

  • Educate the company and employees on important compliance requirements
  • Train staff who are involved in data processing
  • Conduct audits to ensure compliance and address potential issues proactively
  • Be the point of contact for supervisory authorities and for individuals who submit requests regarding their personal data
  • Maintain comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities
  • Communicate with individuals to inform them how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information.

Who can be a Data Protection Officer?

You can outsource your requirement to a third party or you appoint a current staff member as your DPO. As long as there are no conflicts of interest with their current role.

The GDPR has not defined a particular list of qualifications or required experience. However, it does require a DPO to have “expert knowledge of data protection laws and practices”. This knowledge should be proportionate to the type of processing your organisation carries out and take into consideration the level of protection the personal data requires. Unsurprisingly, your DPO should also have a deep understanding of the GDPR.

Ideally, a DPO should have excellent management skills and the ability to communicate with internal staff, supervisory authorities and members of the public. They must be able to handle managing data protection and compliance internally, and ensure they report any breaches or non-compliance the relevant supervisory authority.

As an employer you also have specific duties when it comes to your DPO, namely, you must ensure that:

  • The DPO reports to the highest management level of your organisation e.g. the board
  • The DPO operates independently and is not dismissed or penalised for performing their duty
  • Adequate resources are provided to ensure the DPO can meet their GDPR obligations

The DPO is a highly accountable role, requiring certain expertise and experience, so it’s important to hire the right person. Organisations should assume they require a DPO – unless they can clearly demonstrate otherwise. However, according to advice from the ICO and WP29 but it could be best practice to appoint one anyway. Just bear in mind they will have the same requirements and responsibilities and mandatory DPOs.

Click here to download our free Data Protection Officer infographic

How to protect personal data and comply with GDPR

GDPR - How to protect personal information and comply with GDPR

In order to comply with the GDPR, organisations must implement appropriate technical measures that ensure compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors.

When implementing these measures the Regulation does state that “the state of the art and the costs of implementation” and “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” must be taken into account.

Due to the different ways organisations collect, store and process data, as well as the different levels of risk this present to users, there will not be one universal set of technical and organisational measures. However, the GDPR has set out some suggested methods for data protection.

Privacy by Design and Privacy by Default

Although supervisory authorities have typically advised that organisations take this approach, for the first time GDPR actually lays out “privacy by design” and “privacy by default” as specific obligations. Under this requirement, companies will need to design compliant policies and systems from the outset.

Under Article 25, a data controller is required to implement appropriate technical and organisational measures at the time of determining the means of processing and at the time of the actual processing. When determining what measures to implement, the controller should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the likelihood and severity of risks to the individual posed by the processing of their data”.

In addition, organisations must give individuals the maximum privacy protection as a baseline. For example, explicit opt-ins, safeguards to protect consumer data, restricted sharing, and retention policies. For example, if someone creates a new social media profile, the most privacy-friendly settings will be enabled. Then it would be up to the user to reduce these if they so wished. This approach directly lowers the data security risk profile. The less data you have, the less damaging a breach will be.

Data Minimisation

An essential principle of data protection, data minimisation establishes that personal data should not be retained or further used unless it is necessary for purposes clearly stated at the time of collection. The principle applies to the entire lifecycle of personal data. This includes the amount collected, the extent of the processing and the period of storage and accessibility.

Data must be “adequate, relevant and limited to what is necessary, in relation to the purposes for which they were processed”. This means controllers need to make sure that they collect enough data to achieve their purpose but not beyond that.

Privacy Impact Assessments

These are an integral part of the “privacy by design” approach and can help you identify and reduce the privacy risks of your projects. They allow organisations to find and fix problems at the early stage of any project, reduce the associated costs and reputational damage that may otherwise accompany a data breach.

Some situations where organisations should carry out a Privacy Impact Assessment (PIA) include:

  • A new IT system for storing and accessing personal data
  • A business acquisition
  • A data-sharing initiative
  • Using existing data for a new and unexpected or more intrusive purpose
  • A new surveillance system
  • A new database that consolidates information held by separate parts of an organisation

Under Article 35 of the GDPR PIAs are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects. However, they are a good strategic tool for any organisation which processes, stores or transfers personal data.

GDPR Rights

Pseudonymisation

Article 4(5) of the GDPR defines pseudonymisation as “the processing of data in such a way that it can no longer be attributed to a specific data subject without the use of additional information”. For a data set to be pseudonymized, organisations must keep the “additional information” separate and secure from the de-identified data.

The GDPR incentivizes data handlers to implement this method because it allows them to use personal data more liberally without infringing on individuals’ rights. This is outlined in Article 6(4)(e) which states that pseudonymised data may be processed for uses beyond the process that data was originally collected for. This is because the data only becomes identifiable when held with the “additional information”.

However, it is important to note that pseudonymisation is not a cast-iron guarantee of data protection. It does not mean organisations using this method would not need to report a data breach to their supervisory authority.

The effectiveness of pseudonymisation hinges on its ability to protect individuals from “re-identification”. This depends on a number of things including;

  • the techniques used for pseudonymisation;
  • the location of the additional identifiable elements in relation to the pseudonymised data; and
  • the likelihood that non-identifiable elements could uniquely identify a specific individual

Unfortunately, the GDPR is quite vague on the level of data protection pseudonymisation provides itself. Only in Recital 26 does it mention that data handlers should take into account whether re-identification is “reasonably likely”.

There no official guidelines as to what constitutes “reasonably likely”, the GDPR merely advises that data handlers take into account “all objective factors”. For example, “the costs of and the amount of time required for identification, the available technology at the time of the processing and technological developments.”

What should organisations do?

The bottom line is that organisations should embed privacy into every process, procedure and system which handles data. Under GDPR organisations need a proactive approach to data privacy and protection. It should be an important part of the planning process and throughout the entire lifecycle.

There are many security measures that businesses can implement. Ideally, you should be looking at solutions that cover multiple angles. Relying solely on encryption or pseudonymisation won’t cut it.

Cyber-security advice for law firms preparing for GDPR

cyber-security advice for law firms preparing for gdpr

With less than 10 months to go until the General Data Protection Regulation (GDPR) officially comes into force firms should certainly be starting their preparations to ensure they meet compliance requirements as soon as possible – if they haven’t already begun.

The implementation of GDPR is likely to have far-reaching consequences. It will standardise data protection regulations across Europe and introduce strict financial penalties for those who do not comply. Far greater than any which we have seen before. For law firms who are responsible for a wealth of sensitive client data, such as those who handle high net worth individuals or who share personal data with third parties under lasting powers of attorney, this is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.

However, GDPR is not just another tick-box exercise which can be set aside once compliance is achieved. Not only are there actions firms will need to carry out regularly to ensure they remain in line, there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing, as demonstrated by the global WannaCry and “Petya” attacks earlier this year. As GDPR further widens the definition of personal data and places an even greater monetary value upon it, this makes it an even more attractive target for cybercriminals and, by extension, potentially increases the risk of cyberattacks against law firms.

The future for law firms

You can certainly expect to see indemnity insurance premiums ramp up considerably, as potential compliance-related fines go from tens of thousands of pounds into potentially millions. The penalties for data breaches are going to be high. Fines for non-compliance will reach €20 million or 4% of global turnover, whichever is greater.

Traditionally firms may have tried to kept any data breaches under wraps, however now with GDPR they will have to report the breach to the Information Commissioner’s Office (ICO) or the relevant supervisory authority (for example if the breach occurred outside of the UK), as well as notifying those individuals who have been affected. Under GDPR firms must report the data breach within 72 hours of discovery, and failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact, along with compensation claims from those affected. Hackers could also use that stolen data to hold the firm to ransom.

GDPR will further fuel the rise of ransomware attacks as the impact to the target is now so much greater. Right now, and previously, attacks were mainly an inconvenience for the majority, you typically reverted to the last backup. It would be painful but the damage was often contained. With the GDPR, the impact will be higher as the party held to ransom will want more than just the return of their data. They will want to prevent that data from being leaked due to the potential fines. It’s common for ransomware creators to now build in “datanapping” technologies that steal information before locking a business out. With the introduction of GDPR, “datanapping” will be just as effective as the traditional encryption payload incorporated into ransomware.

Phishing attacks are also likely to increase. I would expect to see the complexity and sophistication of these attacks to increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially, attacks have been widespread and not necessarily focused on the legal market. However, a number of significant breaches alongside their reluctance to invest in appropriate security by large swathes of small and mid-market firms will make these organisations an attractive target.

The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries it makes sense to put in an alarm.

Robert Rutherford, CEO of QuoStar

9 quick tips to help your business achieve GDPR compliance

quick tips to achieve gdpr compliance

On the 25th of May 2018, the General Data Protection Regulation (GDPR) officially came into force. The new regulation from the EU, which was four years in the making, aimed to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data.

With the maximum fine for failing to comply with GDPR being 20 million Euros or 4% of yearly global turnover, it’s imperative that a business complies with the regulations if they want to remain extant.

Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK  still need to comply with GDPR. The regulations apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.

Despite organisations being given a two-year transition period to prepare for the start of the GDPR, and the legislation having come into effect many businesses have made no effort to become compliant.

As GDPR builds on the regulations outlined by the 1998 Data Protection Act. Many businesses may mistakenly believe that if they were DPA compliant they will be GDPR compliant. But there are several major differences between the two.

Below we’ve outlined some quick tips for compliance. We recommend that organisations ensure that have achieved compliance if they want to avoid the heavy fines that can result.

9 tips for GDPR compliance

1. Appoint a Data Protection Officer (DPO)

Somebody within the firm must hold the role of Data Protection Officer. They don’t have to be a full-time employee and they can be outsourced to a third party, but it’s mandatory that all organisations that process or store customer data have one under GDPR.

2. Know how you can use data

You will likely store personal client data on file and throughout different IT systems. Under GDPR it’s imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.

3. Make people aware

All key decision-makers and management within the firm should understand the full implications of GDPR. We’ve compiled the five most important details that CIOs need to know here and there is a wealth of information about GDPR on the official European Commission website.

4. Data on children

There’s a big focus on data held about children within GDPR. You need to know how you verify the ages of individuals and how you will get parent/guardian consent for the processing of childrens’ data.

5. Ensure your data processors are up to speed

It’s worth taking the time to assess every service provider and the individuals who process personal data for you. It’s important they fully understand the changes that have come along and that they are taking responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.

6. Understand your client’s rights

The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc.

The right to data portability is completely new so it’s worth taking another look at the clients’ rights then going over each of these before to ensure your policies and procedures are compliant.

Assessing how you delete data and how you present it on demand, i.e. what document format are also worth considering.

7. Review consent and fair processing policies

The GDPR goes beyond legacy requirements around information that must be provided to data subjects when requesting consent to process personal data.  The processes and protection already in place are no longer applicable under GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.

8. Prepare for a data breach

Even with GDPR in full swing, many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm needs to know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.

9. Use technology for automation

Many firms will typically have systems in place to assist in performing compliance and risk checks and the same or a similar system can be used to ensure GDPR compliance. It’s worthwhile speaking to the vendors you’re using about how they can assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. After all, the more you can automate, the less risk there is for something to drop through the net.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a piece of EU legislation introduced on the 25th of May, 2018. It changed the way companies are allowed to collect and process data about citizens within the EU, providing more rights to the consumer and introducing stricter penalties for businesses who fail to comply.

what is gdpr

Do companies outside the EU need to comply with GDPR?

Any company that processes data of any EU citizens needs to comply with GDPR, even if the company is located outside of the EU. This means that UK businesses will still need to comply post-Brexit and companies in the Americas, Asia, Africa, Australia and even Antarctica will need to comply with GDPR if they process the data of any EU citizen.

Why did the EU introduce GDPR?

The GDPR has been four years in the making, and one of the main reasons for its introduction is the changing ways companies are using personal data. Many companies such as Facebook, Google and other social networks swap access to people’s data for use of their services.

GDPR acted as a modernisation of the 1998 Data Protection Act which didn’t account for the new ways companies were utilising personal data. Another driver behind GDPR was to give businesses a simpler, clearer legal environment to operate in.

Who does GDPR apply to?

This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides by data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.

What do businesses need to be aware of regarding GDPR?

The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.

Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you must delete the data.

Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.

They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.

Controllers must store the personal data in a common format, such as a CSV file, which is easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.

What if I don’t comply with GDPR?

Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.

If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.

There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.

Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if that breach had occurred under GDPR legislation. That fine would have increased to £59 million – a considerable jump!

This is just meant as a high-level overview of the key point of the new GDPR. Organisations should carry out their own research and seek consultative advice on the steps they need to take to comply.