In May 2018, the EU's new General Data Protection Regulation (GDPR) will come into force – with significant implications for UK businesses. The new regulations raise the bar when it comes to the cost of security breaches – with fines of up to €20 million (£17 million) or four percent of global revenue.
And while organisations may rail against increasing regulation, the fact is that data - both personal and commercial – has never been more vulnerable. In its last quarter report, the Information Commissioner's Office (ICO) reported a 46 percent increase in cyber-security incidents. Attacks vary, from the use of ransomware to hold a company's data hostage until a ransom is paid, to compromising an employee's credentials using phishing to gain access to customer data, including email addresses and credit card details. And with organisations of every size being targeted, the need for better security policies and procedures is clear – hence GDPR.
One of the biggest changes affecting organisations is the need to ask individuals for explicit content for personal data to be collected and used, and to then provide clear information as to how this data will be used. Should data be compromised, a company must inform the ICO within 72 hours. Companies must also clearly stipulate the legal channels available should data processing not comply with its agreed-upon use; and all personal data must be erased after a prescribed period of time.
There are several key aspects of GDPR compliance that need to be embedded within operational processes.
- Data security, management and disposal: What security measures are in place to prevent data breach and how often are they reviewed? What is the policy for secure data disposal and does it deliver the auditability now required? Ensuring these processes are effective – and demonstrably so – is essential.
- Information consent: Ensure all clients are informed about the data being collected and held; and how it will be used. Clarify the ways in which consent will be attained, how that is recorded and how the business will respond to client questions about consent.
- Breach management and reporting: With just 72 hours to report a breach to the ICO organisations need to put in place – and test – a clear strategy for responding to data breaches.
For those companies that are already operating in line with existing data requirements laid out within the Data Protection Act (DPA) is it worth noting that the government's Data Protection Minister has recently announced that the DPA will have to be amended to ensure consistency with GDPR. Understanding the requirements of GDPR is, therefore, now essential.
Organisations must adopt a far more proactive approach to managing and safeguarding data – and that requires both new data management processes, including retention, redaction and destruction, and improved employee education.
The need to dispose of data after a set timeline is a fundamental component of GDPR. A secure approach to data disposal should already be in place to meet existing DPA requirements; however, many organisations have struggled to implement their data disposal policies, especially when residing on end-of-life equipment.
The requirements of GDPR bring disposal into sharp focus and it will be essential to have a clear, auditable approach to destroying data – either through a third party IT Asset Disposition (ITAD) company who will handle the entire data erasure and equipment disposal/refurbishment process or the use of an on-site hard disk shredder. Either way, it is important to ensure there is a full audit trail for compliance purposes.
Whilst data sharing has become a priority for organisations looking to improve business performance, the reality of changing regulations means that organisations must take a 'privacy first' approach to safeguarding information. From staff awareness to data storage and disposal, the safety and security of sensitive information should be a priority.
And that means ensuring a senior member of staff is responsible for data security. With the value of potential fines, this is now too big an issue to leave to junior employees. Ensuring a key individual both understands the requirements of GDPR and is empowered to roll out essential user education about data management and security is essential.
Contributed by Laura Cooper, client services director, DataRaze