‘Wait and see’
approach to GDPR inherently risky
LEAD TECHNICAL CONSULTANT
Our lead technical consultant says it’s time to grasp the nettle and start preparing for 2018 regulation.
The countdown is on for the General Data Protection Regulation (GDPR). It comes into force on 25 May 2018 and while most businesses are aware of it, few have taken steps to prepare for it.
If you’re not familiar with GDPR, you need to be. It’s an EU regulation that will replace the current Data Protection Directive. The government has confirmed that the UK’s decision to leave the EU will not affect its commencement.
The GDPR’s core principles are similar to those of the existing directive. However, organisations’ accountability in relation to the personal data of customers, employees or any other individuals will be taken to a higher level. Businesses will have to actively demonstrate their compliance and there are strict obligations surrounding the reporting of any breaches. Companies could also be held liable for leaks of personal data orchestrated by a criminal organisation.
- Penalties for non-compliance
Penalties will be based on a percentage of total profit, and individuals will also be eligible to file claims.
As yet, there is no clear indication of how the regulation will be enforced, which could explain why so many firms are sitting on the fence and failing to take action. However, this attitude is as risky as it is short sighted. Preparing for GDPR might seem laborious, but its core tenet – the responsible management of individuals’ personal data – is fundamental to good business practice. Organisations that fall foul of the regulation could experience significant long term brand damage as well as fierce penalties.
- Initial preparation for GDPR
GDPR compliance will inevitably require new processes and procedures for many organisations. Before this is put in motion, it’s important to understand the internal data environment, and its inherent risks and vulnerabilities. Running an audit is a good place to start, and there are three key questions to consider.
- What does personal data look like?
The first step is to establish the nature and extent of personal data held within the organisation. Any data that might identify an individual is covered – so it’s not just about banking details and passwords, but also home addresses, email addresses, computer IP addresses, online passcodes or medical information. Even broad lists of personal characteristics, such as ethnicity and physical details, are protected under the GDPR.
- Where is personal data stored?
Once the scope of personal data has been defined, its location needs to be identified. Many organisations use remote servers and unified databases that facilitate a single customer view. However, it’s highly likely that there are pockets of data held in different departments or on individual devices as well. Data sharing is important to facilitate business decision making and customer service in the digital age, but it needs to be done transparently and responsibly.
- Is the data at risk?
It’s not just banking details for wealthy clients, or personal information about celebrities that is vulnerable to theft or exposure. Any personal data can have value for criminal organisations. It’s also important to be aware of the risk from within: disgruntled employees have been known to deliberately sabotage data. Building an understanding of the risk can start with a top-line assessment, but could extend to pen tests (penetration testing). This involves an authorised, simulated attack on a computer network to discover vulnerabilities that a cybercriminal could exploit.
The GDPR is the most important change to data regulations for two decades. Organisations that persist in taking a ‘wait and see’ approach could find themselves at a significant disadvantage. Now is the time to build an understanding of the actions needed to ensure compliance, so that budgets and resources can be allocated. For a thorough exploration of key areas of the GDPR, check out the living document on the ICO’s website.