The General Data Protection Regulation (GDPR) is legally enforceable from 25th May 2018. There has been a two-year grace period in which most companies have done nothing to ensure compliance. The next three months are going to be frantic.
What Is GDPR?
GDPR is an EU regulation designed to give individuals full control of all the data businesses and governments hold on them. It’s an EU regulation designed to protect the rights of European citizens.
Does GDPR Affect Me?
The GDPR affects data-handling worldwide if any of the data relates to Europeans. The GDPR prevents companies and organizations transferring Europeans’ data outside the EU unless laws similar to the GDPR are in place to protect that data.
If you take the chance and get caught be prepared to face fines of up to 4% of global turnover (Turnover, not profits) or 20 million euro, whichever is higher. These figures are threatening enough to incentivize any US company into compliance.
In a nutshell, GDPR affects every business in the world because it governs every piece of data you may hold on Europeans; from keeping a list of customer phone numbers in a book to maintaining an email list, and from analysis of web page hits to recording previous purchases and suggesting new ones.
What Practises Need to Change with GDPR?
We need to look at every aspect of our data collection, from pre-checked sign-up boxes to using data for any purpose other than the one the individual originally agreed to.
It’s about playing safe.
You must be able to prove you have proper controls over processing and storage of any data you hold. Storage includes on local computers, phones and in the Cloud.
One executive should be put in charge of GDPR compliance. The consequences of failure in this area make it too important to delegate to a mid-level manager.
- Get advice from experts – The laws are drafted using vague language, and it will be years before case-law exists to provide more detailed guidance. Consider an all-in-one GDPR compliance service.
The screenshot above from Bulletproof.co.uk shows how reasonable the cost of compliance is, especially when compared to the stress of DIY compliance efforts and potential non-compliance penalties.
- Ask any email subscribers to opt in again – You need to be able to demonstrate subscribers knew what they were signing up for.
- Prevent any data being downloaded onto phones, tablets, laptops or any other device – Cloud storage with end-to-end encryption and secure passwords is the only way to prevent data falling into the wrong hands.
- Prevent employees using personal email for company business – You cannot guarantee the security of data held on public email networks.
- BYOD (Bring Your Own Device)must end – You cannot guarantee the security of information held on personal tablets and phones.
- A lack of organization will be no excuse – You must respond to anyone asking about the data you hold on them within one month.
- No cover-ups – You must inform anyone whose data is compromised or stolen, so you need to have secure backups and systems in place before a privacy breach occurs.
- Change every company password regularly and enforce a secure password policy – Password security and encryption are negated if employees write down their passwords on paper or their phones
What Could Go Wrong?
If it can go wrong, it WILL go wrong. So prepare for that expectation.
Hacking
In 2014, 90% of large businesses and 74% of SMEs suffered security breaches. The cost of a typical breach in the UK was in the £1.46 million to £3.14 million range for large businesses, and £75,000 to £310,000 range for smaller companies.
Hacking happens, and you WILL be hacked. Taking security advice and implementing that advice will cost money, but will pay for itself if it prevents one data breach.
Burglary
The main data threats from a burglary come from hard drive theft or the discovery of employee passwords written on sticky notes stuck to computer monitors.
Using cloud systems to store data will remove the first possibility. Password discovery requires much more effort on your part. Inform your employees that if their password is discovered and misused that they will be sacked. Check work-stations and desks for written notes of passwords. Ban all private mobile devices from your offices and check company phones regularly for stored passwords.
Employee Theft
According to US Chamber of Commerce figures quoted on the ADT website, 75% of employees steal from their employer. Security cameras are your best deterrent, but won’t be popular with employees. Use monitoring system and a ‘need-to-know’ system to minimize employee theft of data and to detect it where it does occur.
Lost laptops
Company laptops should only be issued to personnel who need them and should only ever be used for business. Data should never be transmitted to a laptop, other than a notification to check the company’s secure cloud-based messaging system or other software.
Long Story Short
GDPR is terrifying in its ramifications and penalties for every business worldwide. You need to be 100% certain that your company can prove compliance. DIY compliance will only ever give you 90% certainty, which isn’t enough given possible penalties that could close you down.
Hiring a security company to check your systems is the only way you will ever be able to say with certainty, “We’re GDPR compliant.”