The change of year from 2017 to 2018 will have brought a reality check for many companies preparing for the GDPR. Now is the time for every business owner to stop, measure their security posture against the regulations and ensure they fully understand what the new rules require.
In a survey carried out by Apricorn in 2017, 24% of UK organisations said they were not even aware of the GDPR and its implications, while 17% were aware but had no plan for ensuring compliance. Many businesses do have a plan in place, and are making good progress with it. However, there are some lingering misconceptions and complexities around the GDPR framework that could easily turn into liabilities next May.
Myth 1: There will be a ‘grace period’ after the deadline.
The regulation is already in place, and 25th May 2018 marks the date when it will begin to be enforced. Steve Wood, Head of International Strategy & Intelligence at the Information Commissioner’s Office (ICO) has stated that: “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” Nobody will get a reprieve if they fail to get ready in time.
If you haven’t already checked for chinks in your armour, and created and enforced processes and policies that ensure the business will meet requirements, this must be at the top of the new year priority list. Policies should be clearly defined, written down, shared across the organisation and pushed out to all endpoints.
Myth 2: The definition of Personally Identifiable Information (PII) remains unchanged.
Under GDPR, PII has been extended to include data sets such as ‘genetic data’ and ‘biometric data’, as well as IP addresses and cookies where they relate directly to individuals.
Carrying out an information audit will give you visibility of exactly what types of data you hold and process, where it’s stored, where it flows and what security controls are applied to it. From there, you can identify where it may be unprotected and/or at risk. You should also look to delete any and all data that is not required to run your business.
Myth 3: Penalties will only be levied in the event of a data breach.
GDPR is designed to encourage businesses to be proactive about security and implement best practice. As such, supervisory authorities have the right to audit businesses to test that compliance is built into their process by default and design, and to force remedial action within a specified timeframe.
If an organisation is unable to demonstrate that good data protection is a foundation of its policy and practices, it’s liable to be fined. You’ll also be subject to penalties if you’re unable to support any of the enhanced rights that give EU citizens more control over their data. Any request made to EU citizens for consent to use their data must be explicit, for instance, and the reason for collecting the data and details of how it will be used and stored must be clear. Individuals have the right to demand their data in a portable format, and the right to request that all their data is deleted.
GDPR preparations should involve running a full audit across all the personal data you hold, to understand where it resides and how it’s used – including who is authorised to access certain information, and why. You should then document exactly how data is processed, stored, retrieved and deleted through its lifecycle, and test that your systems can accommodate the various requests EU citizens may make of you.
Myth 4: If personal data is safe from hackers, it’s safe.
Employees present the greatest threat to the security of personal data. Often unaware of their role in protecting it, they can unwittingly put it at risk – particularly when mobile working. More than half (57%) of respondents to the Apricorn survey agreed that while their mobile workers were willing to comply with security measures, they didn’t have the skills or technology to keep data safe. Twenty-nine percent of organisations had suffered a data breach or loss as a direct result of mobile working.
Staff across the business should receive training to ensure they’re aware of and understand the GDPR legislation, its consequences, the policies in place and their responsibilities in protecting data.
Education should be combined with the encryption of all PII, which will render data unintelligible if it does fall into the wrong hands – balancing confidentiality with availability and agility. If your employees use removable media, provide a corporate-standard encrypted mobile storage device, and enforce its use through policies such as locking down USB ports so they can accept only approved devices.
Encryption is specifically mandated by Article 32 of the GDPR as a means to protect personal data, and Article 34 states that an organisation that has implemented encryption can avoid the requirement to contact each individual affected, and therefore the resulting administrative costs, in the event of a breach.
Perhaps the biggest myth of all around GDPR compliance is that it’s an ‘IT problem’. Full compliance requires a culture change across the business – and this makes it a business and legal problem. Business owners and management teams need to lead from the front on developing and executing a comprehensive security strategy, and encouraging employees to follow secure practices every single day.
By Jon Fielding, Managing Director EMEA for Apricorn
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/