Our increasing love of anything digital from mobile shopping to social media means the amount of data held by organisations on peoples’ tastes, opinions, bank accounts and medical history is greater than ever.
Such data is prized by cyber hackers, from bored teenagers to organised gangs and state backed disruptors. As such cyber security breaches have affected some of the biggest companies in the world such as Sony and Uber, raising concerns around data privacy.
In response to the increasingly critical and complex challenge of handling data, the EU’s General Data Protection Regulation (GDPR) will become directly applicable to all EU member states from 25 May 2018. It replaces the Data Protection Directive and is aimed at harmonising data privacy laws across Europe.
It covers companies that hold personal data, classed as any information that can be used to directly or indirectly identify a person. That can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, a computer IP address, usernames, passwords and location data.
Under the GDPR, breach notification becomes mandatory and, for UK firms, must be disclosed within 72 hours to the Information Commissioner’s Office and the victim. There is also enhanced data transparency, right to access and erasure.
It pays to comply as businesses can be fined up to 4% of their annual global turnover, or €20m (£17.8m), for breaching GDPR. This could be due to not having sufficient customer consent to process data, having records in order, conducting an impact assessment or notifying a breach.
Challenge for business
Worryingly, according to a November 2017 survey from specialist law firm, Technology Law Alliance, only 18% of large UK businesses are “highly confident” they will achieve compliance before GDPR begins.
“The GDPR is complex and if large corporates are struggling to understand how to comply with it, then it will be a challenge for SMEs as well – especially if they lack access to specialist lawyers,” says Director Jagvinder Kang.
Martin Brown, Director of business advisors Elephants Child, agrees: “There is a risk that a lot of businesses will just drift into GDPR. They need to understand that it is relevant to everybody and isn’t just about customer data but also employees and suppliers. They need a robust GDPR policy in place.”
The first place to start, says Martin, is to undertake data mapping. “What do you hold, what is it used for and where is it stored? Who has access to it? You should ensure that you only retain what you need for your business,” he says. “You also need to look at cyber security, which is best achieved by developing a strong working relationship with your IT provider.”
Ian Kilpatrick, EVP Cyber Security at Nuvias Group, adds. “Companies should be talking to their IT providers about core data security solutions that cover things like encryption, access and identity management, intrusion prevention and detection. Having a demonstrable security policy in place and making sure employees are fully trained in the correct practices will prove invaluable.”
Businesses also need to keep managing their data, recording and tracking changes and be able to flag up potential crises. They must also ensure that they can quickly restore data following a security incident.
“Larger organisations and public bodies will require a data processing officer,” adds Ian. “But GDPR compliance is everyone’s responsibility from the board to legal, IT and HR.”