The General Data Protection Regulation (GDPR) is just around the corner, and by May 2018 your business will have had to make changes to the way you acquire, manage, share and delete data. It replaces the 1995 Data Protection directive and the Information Commissioners Office (ICO) will be responsible for enforcing the legislation.
Steve Wood, head of policy development at the ICO confirms the policy is, “much the same as the current Data Protection Act and if you are already complying properly with the current law, then you have a strong starting point to build from.” However, there are important new elements that must be addressed and some things will need to be done differently.
The full General Data Protection Regulation is 88 pages long, consisting of 99 articles, but don’t worry, the ICO have produced a 12 step guide discussing the main points. It provides details on some positive actions that you should be taking now. We recommend that you review the ICO website regularly as they are releasing some really valuable information to support businesses who are in the process of complying to the new legislation. We particularly like CEO, Elizabeth Denham’s, Myth Busting Blogs.
How to kick off your GDPR Preparations…
What does the GDPR cover? In essence, it is a mixture of cultural, procedural, policy and technological changes, all with equal merit and importance. It is highly recommended that all businesses take advice quickly on ensuring that they are compliant in time for the May deadline. The ICO will look much more favourably on organisations that have made the effort to implement the legislation.
To get you started, we’ve put together seven simple steps that everyone should be doing right now to ensure that, technologically at least, they are protecting their data from breach and moving a step closer to compliance.
- Education and GDPR
Being proactive and understanding the threat landscape and the value of safe working practices is going to have a huge impact on any organisation. It’s almost impossible to protect against threats we don’t understand, so training and education is vital.
In GDPR terms, an ongoing employee training program can minimise the risk of a data breach. Research from Data Shepherd confirms that 89% of data breaches come from within – whether malicious or accidental – it just happens.
Upskilling the workforce is the first step in cyber-crime defence; what are your threats, how do they evolve, how do you know what to look for, what are the different attacks, and what can you do to help? An ongoing policy of cyber education can really make a difference. The ICO will take a positive view on these actions in the event of a data breach.
Securing your network with a fit for purpose AV will also have a strong impact.
It might sound like common sense, but despite AV being around since the 80s there are still organisations out there with either outdated or no AV!
Make sure you’re managing your AV correctly. If you don’t have the resource, ensure you’re working with an IT partner that has your security at the very top of their priority list.
- Encryption and GDPR
Encryption is specifically mentioned in the GDPR as a recommended technology. In fact, Peter Brown, Senior Technology Officer at the ICO, cites encryption as “a widely available technology with a relatively low cost of implementation” that is imperative to organisations. He also states that “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data.”
If you aren’t utilising encryption effectively in your business, then looking into this should be your next step. Ensure your IT partner fully understands your data processing activities and can help you develop a data security strategy which includes encryption software.
- Automated Backup
What is the biggest threat to data security? It’s you, me and your employees.
Human error, be it malicious or accidental, is the root cause of the majority of data breaches.
Why then do we entrust something as important as backup to a fallible human? There are countless examples of backups being neglected, hard drives left in public places, sabotage, and many more.
With an automated backup solution you can set it to run, securely, at an interval that suits your business, removing another level of human error.
- Disaster Recovery
Article 32 of the GDPR talks about “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” This is where you need to make sure you have your business continuity house in order.
It’s simpler than you think. Once you’ve pressed go and automated your backup, the software sends the data, securely, offsite to a data centre. It sits here and incrementally updates, waiting until “a physical or technical incident” occurs and then it springs into life.
Depending on the size of your backup, in the event of a catastrophic incident you could retrieve your data back within 15 minutes.
If you don’t have disaster recovery as part of your business continuity plans then start thinking about it now. The ICO is likely to be more lenient on a business that can prove it has risk assessed proactively.
- SSL Certificates
So far we’ve spoken about encrypting your network and your data, but what about protecting your website?
An SSL certificate is a piece of code on your web server that provides security for online communications.When a web browser contacts your secured website, the SSL Certificate enables an encrypted connection, stopping the interception of any information.
Again, the advice is take the time to work with your IT partner to make sure your encryption is up to date across all of your systems.
- Patch Management
And last, but not least…poor patch management can have a massive impact on your ability to stay safe from data breaches.
Patches are another word for updates. These are the hardware and software bug fixes and improvements that vendors release on a regular basis aimed at adding features, increasing security etc.
Having a robust patch management strategy ensures that your teams understand the impact of each new system update and how it will impact the day to day running and security of your business.
If you aren’t doing this already, start now or find an IT partner who can help you navigate your way through this important strategy.
Hopefully you’ll already be ticking the box on all or most of these tips. However, technology only plays a small part in GDPR. It is crucial that every business takes the time to understand their obligations under the new legislation. Don’t leave it too late!