General Data Protection Rules (GDPR) is the new legislation which came into force 25 May 2016 from the EU; businesses and organisations have until 25 May 2018 until the law applies to them. Despite this impending deadline businesses are failing to prepare for its arrival.
Why do we need a new law?
GDPR provides businesses with a clearer legal environment within which to operate. It aligns data protection law throughout the single market and introduces tougher enforcement measures with steep fines for non-compliance and data breaches. It was designed to give people more control over how their data is used in the face of new technologies creating new ways to exploit information.
How does this affect non-EU countries?
This legislation will apply to all EU member states, companies outside the EU who handle or contract other firms to handle EU citizens’ personal data would still be hit by GDPR. With GDPR the concept of personal data expands to include IP addresses and online identifiers.
What about Brexit?
Karen Bradley, secretary of state for Culture, Media and Support, said in October: “We will be members of the EU in 2018, and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British businesses with data protection while maintaining high levels of protection for members of the public.”
Who needs to manage GDPR?
Anyone who controls and processes personal data. The controller directs how and why personal data is processed. A processor handles the data. The controller could be an individual, business, organisation, group, charity or even government, a processor an internal resource or outsourced service. It is their responsibility to ensure processor abides by GDRP. These individuals must make sure personal data is processed lawfully, and for a specific purpose, once that purpose is fulfilled the data should be deleted.
How much does it cost to ignore?
Firms could face penalties of up to 4% of their annual turnover or €20 Million, whichever is greater. For small businesses, the risk of non-compliance could be catastrophic; such a fine would force them to close.
What should you do?
Update operating systems and software
Reduce the risk of data breaches by making sure all operating systems and software is up to date, implement encryption for sensitive data.
The fully managed IT support service provided by Netitude includes updates of all operating systems and commonly used 3rd party applications.
Opt-in
Gain consent from the people whose data you’re collecting – a key tenant under GDPR. Consent must be an affirmative action by the individual, rather than the passive model which allows for pre-ticked boxes or opt-outs. If obtaining consent doesn’t meet GDPR model collection should be stopped.
BYOD (Bring Your Own Device)
Employees using personal devices and personal cloud accounts to access and store company information are putting companies at risk. Use business-provisioned equipment to access and share company information.
The Mobile Device Management service from Netitude enables you to control data, configuration settings, monitor, secure and support mobile devices. Ensure all existing Information management solutions and approaches are compliant.
Policies and Procedures
Implement and reinforce a clear policy on the use of mobile devices as well as communicate the risk and impact of not following company guidelines.
Netitude provides a fully managed It support service which includes strategic IT advice to ensure you have the right tools, procedures and policies in place.
Educate
Educate ALL your employees about the danger of phishing and social engineered attacks. Ensure there is clarity around compliance and buy-in from all stakeholders to mitigate the possibility of litigation.
Champion IT
Organisations and public authorities have created a data protection officer role to proactively focus on people change management, compliance and the rights of consumers whose data they are handling. Designate someone within your organisation to take responsibility for data protection compliance and governance arrangements.
Network Security
Keep your confidential data private; data breaches pose a serious threat to businesses affecting both their reputation and GDPR compliance.
Data Loss Protection provided by Netitude will ensure your business is not exposed to potentially expensive and damaging breaches. It protects your sensitive business information against theft, unauthorised manipulation and computer viruses and provides secure connections for your entire workforce including staff members who are mobile.
Archiving Information
Under GDPR Article 15, EU citizens have the right to inquire if and how their data is being processed. To meet the 2018 deadline organisation should begin assessing the capabilities of their existing archive systems to search, filter, and retrieve data to achieve this GDPR requirement or evaluate alternative systems or services providers.
Netitude provides secure and fully-indexed file and emails archiving services with tamper-resistant chains of custody to support data governance and resilience. The search results are fast and comprehensive; even your backups will have backups.
If you would like strategic IT advice to ensure you have the right tools, procedures and policies in place for GDPR simply call 0333 241 2323 or get in touch to arrange a visit or call from one of our IT specialists.
References: General Data Protection Regulation (GDPR) | IT PRO
