In May 2018 General Data Protection Regulation (GDPR) will replace the Data Protection Act that has been in place since 1998.
GDPR aims to make it easier for individuals to understand how their data is handled and what it is used for. What this means for businesses is a much stricter code of conduct and a significant increase in fines for a data breach. Under the new regulations, if you experience a data breach from failing to comply, this will result in penalties of up to 20 million or 4% of your global annual turnover (whichever is greater), far surpassing the current fines in place which carry a maximum penalty of £500,000. The term processing data’ refers to how companies obtain, disclose, record, or destroy personal information basically whatever you do with information inside your company. GDPR is subjective; it’s about the data not the company so it doesn’t matter whether your organisation is in the EU or not, what matters is whether the data you handle concerns EU citizens.
The territorial reach of GDPR is considerably broader than the UK’s current Data Protection Act and you will be subject to GDPR if you: Hold data about individuals that reside in the European Union. Handle data in the context of offering goods or services to an individual in the EU, or if you monitor their behaviour The monitoring aspect of the regulation could be of most concern to your business as even using cookies on your website can make you liable to the GDPR.
The following five areas of focus need to be top of mind when it comes to data protection best practice.
1. Secure the cloud Processing data in the cloud presents a risk. The personal data which you are responsible for is not within the confines of your on-premises network. You must therefore assess the security measures your provider currently has in place to ensure they are compliant with the new regulation.
2. Understand what you have Given just how much data businesses now generate, part of keeping this secure involves identifying what information you hold, where it is stored, who has got access and which is no longer valuable. Ensure you only collect the most necessary information as systems can get overcrowded quickly. Under GDPR, an individual can ask if your organisation holds any personal information about them and you must respond within 40 days. Make sure your staff can recognise these requests and quickly find the relevant information.
3. Staff training Human error is the main contributor to data breaches, from sending an email to the wrong recipient to opening an attachment with malware. By ensuring your employees acknowledge and understand their roles and responsibilities, you can greatly improve data protection across your business.
4. The right to retain it You should always consider why you are storing the data and once used, securely archive or delete it.
5.Audit your activity Running audit logs are a great way to keep on top of company content. This way you can see where data is going and who it’s been accessed by. By monitoring your systems and services, you can be alerted to any suspicious behaviour or activity. Make this company policy.
Visit: www.bluelogic.co.uk for further information.
