Wednesday 4 January 2017

GDPR - 6 Top Tips for Compliance

Following on from my last blog, outlining the background to and impact of GDPR on businesses, I've had lots of calls and emails requesting more information, so I thought it would be useful to share some information on the key actions that businesses need to be taking to ensure compliance.

To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater.  In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.

So what do businesses need to be doing NOW to mitigate the risks of GDPR?

Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-

1.      Identifying what personal data is held (which can be as simple as an individual's name or email address), who has access to it and where it is stored. This could include in-house servers, cloud services, portable devices such as laptops, tablets and smartphones or removable media such as USB sticks. 

2.      Identifying threats to this data, which could include things like cyber crime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. Whilst most businesses have some policies and technologies in place to protect them against these sorts of threats, we often find that these were implemented several years ago, and with the fast moving nature of security threats, they are no longer fully effective. In addition many companies have a piecemeal approach of different technology solutions each designed to cover a specific security threat, but no "joined up" solution to make sure nothing falls between the cracks. 

3.      Investing in and implementing the right technology to deal with insider and external threats to data.  These days such a solution needs to include:- 

          ·         Virus protection

          ·         Malware protection

          ·         Ransomware protection

          ·         A system for applying operating system and application security updates to servers, PCs and laptops promptly.

          ·         Email filtering

          ·         Constantly updated firewall protection

          ·         Encryption of data in transit

          ·         Data loss/leakage prevention technology

          ·         The ability to remotely wipe data from any user device that is lost or stolen

          ·         A certified system for securely wiping old servers and PCs prior to disposal

          ·         Strong passwords or two factor authentication

          ·         Regular penetration testing

          ·         24/7 monitoring against threats

         4.       Putting together a new or updated data protection policy and training employees on it.  

5.       Putting in place processes for ongoing user education for all members of staff around cyber security and data protection.  

6.       And finally, for the worst case scenario, creating a breach notification plan, which will typically involve the Board, IT, PR, sales, marketing and HR to ensure that any breach could be communicated smoothly, accurately and with as little damage to the business as possible. 

 Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email

No comments:

Post a Comment