GDPR

Everything you need to know about the new General Data Protection Regulation

From 25th May 2018, new data protection laws will take effect to give EU citizens greater control of how businesses use their personal information. With the increasing amount of data we create, capture and store on multiple devices, the old data protection laws are no longer fit for purpose, hence why these new regulations are necessary. GDPR will affect the way every company holds and uses personal and sensitive data, therefore business processes and strategies must be reviewed and amended in order to comply. When the new regulations are enforced, businesses must have recorded consent before they can use personal data or risk tougher penalties. A data breach can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

Fast facts

  • The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018
  • Organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.
  • Under the GDPR there is a requirement for organisations to report a personal data breach to authorities such as the ICO, no later than 72 hours after having become aware of it
  • UK organisations handling personal data will still need to comply with the General Data Protection Regulation (GDPR), regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply
  • An organisation will not be able to charge for a Subject Access Request (SAR) under the GDPR unless the request is ‘manifestly unfounded or excessive’.
  • The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
Three areas to review...

It is time to start thinking about your path to GDPR compliance. An individual or team of people need to take charge of GDPR and assess how the new regulations will affect the processes and procedures across every department. There are three areas to review: Procedure, Technology and Governance.

All employees across your business will need to identify the processes they use to gain, store, transfer and manage personal data. By identifying how and why information is used across the business, policies can be put in place to meet the new regulations. A data audit involving all employees is a useful starting point to determine where data is, what it is used for and how much of it there is.

It is everyone’s responsibility in a business to adhere to GDPR. Employees will need to be trained on new data handling policies and understand the importance of keeping to these new procedures, to avoid the fines.

Technology and software must be able to cope with the demands of GDPR Organisations will need to document and report on where its data is, how it is collected, how it is stored, who can access it and what it is used for. Security measures must also be tightened to prevent the unlawful sharing of personal information, internally and externally.

Technological solutions can help to:

  • Discover the data you hold
  • Manage your data and how it is accessed
  • Protect your business from data breaches
  • Report data breaches, maintain documents and manage data requests

However, whilst there are applications and tools out there that can be used to assist and accelerate your way to GDPR compliance, these cannot be relied upon alone. There is no single solution or answer to gain GDPR compliance; it is going to be a completely different journey for every business.

Once GDPR is in place, there needs to be a way to govern and monitor how data is stored and processed across your entire organisation. With ‘the right to be forgotten’ also a part of the new laws, someone needs to take charge of data processing operations and ensure all the criteria is met.

Companies with more than 250 employees or public authorities will need to consider appointing a Data Protection Officer; someone that can monitor the organisations compliance, serve as a contact point for all data protection queries and monitor internal processes.

How can technology help with compliance?

Technology can be used to support four areas: discovery of data, protection, management and auditing. At CPiO, we can you help you to review your entire data protection strategy and advise you of the best route going forward. Whether you need some highly secure technical solutions or some advice from one of our team, we are here to support you on your jounry to GDPR compliance. So what’s on offer?

Unsure where to start? Let one of our experienced consultants come and look at the way data flows through your business and advise you of the next best steps to take to meet GDPR regulations. We can review your data model and design an end-to-end data protection strategy for your business, all with maximum value in mind.

As part of your data protection review, you will need to consider the types of data flowing through your business: Is it freely available? Does the data contain personal information? We can help you create an effective data classification system whereby for example, if a piece of data is marked as ‘highly sensitive’, an email alert can be set up to let the data controller know that someone wants to access it. In this sense, data is protected by the authority.

Encryption translates data into code, so that only people with access to a key or password can read it. It is currently one of the most popular data security methods used by organisations, to protect data confidentiality across all devices. In recent years there have been numerous incidents where personal data has been stolen, lost or subject to unauthorised access. By encrypting information, businesses can take control over their data by validating users and ensuring data authenticity when data is used and transferred.

Data loss prevention software uses detection techniques to identify sensitive data. By monitoring and detecting personal information like bank details and addresses, businesses can determine why and how information is being used and therefore recognise any data breaches or misuse. It is essentially a filter that blocks the flow of sensitive data. This should shield businesses from insider threats.

 

Most standard security procedures online involve a simple username and password. With the ever increasing risk of cyber attacks, an extra layer of security is beneficial to ensure data is protected. Two-factor authentication, also known as 2FA involves the use of both a username and password and a piece of information that only the user knows, for example a personal identification number or the fingerprint ID typically found on an iPhone. Two-factor authentication is a tried and tested method that makes it harder for attackers to gain access to a person’s devices and online accounts.

Around 54% of UK businesses have been affected by Ransomware, a situation where hackers lock you out of your devices and demand a ransom in return for access. This is a huge, scary risk for all businesses hence why antivirus & anti-ransomware software are so important.This solution scans and wipes out any ransomware attempts found on your computer, giving you extra security and peace of mind.

Device Management enables IT teams to control the securing, monitoring, integrating and managing of devices such as smartphones, tablets, and laptops in the workplace. With device management, businesses can be assured that the network and its data is fully secure and GPDR compliant on all devices.

 

Many businesses do not validate whether its employees are provisioned with the right access and permissions to use data. Further to this, when employees move roles across the business, they gain access to new data without necessarily losing access to previously acquired data. To comply with GDPR by May 2018, businesses will need to take a much more controlled approach to minimise unauthorised access to critical information. With our team of experts, we can help you strengthen and centralise your access and identity management set up and give you the control you need over your data and its use.

With the risk of cyber attacks higher than ever, it is really important your data is backed up. Backups exist in case information is destroyed accidentally or maliciously.

CPiO Cloud Services makes automated back-ups so you don’t need to worry about keeping copies of your data. And our high specification hardware and secure hosting facility gives you the greatest level of resiliency. Find out more here

Cybercriminals continuously develop new exploits that take advantage of application vulnerabilities, to introduce malware and compromise endpoints. A exploit attack can slow down your computer, cause sudden application failure and expose your personal data to hackers. Exploit prevention protects the applications and files that are prone to these attacks and cleverly mitigates the methods attackers use to exploit software vulnerabilities.

Patch management involves keeping software on computers and network devices up to date and capable of resisting low-level cyber attacks. With older software versions, companies are far more vulnerable to cyber crime and leave obvious gaps for hackers to intercept. This may be the most simple technological solution but up to date software can really provide the reassurance and confidence your business needs.

Useful links
Legal Disclaimer

The information above does not represent, nor is intended to offer legal advice. We strongly recommend you discuss achieving GDPR compliance with your Legal, Compliance, Data Protection and Privacy teams.