Following on from my last
blog, outlining the background to and impact of GDPR on businesses, I've had lots of calls and emails requesting more
information, so I thought it would be useful to share some information on the
key actions that businesses need to be taking to ensure compliance.
To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater. In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.
So what do businesses need to be doing NOW to mitigate the risks of GDPR?
Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-
To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater. In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.
So what do businesses need to be doing NOW to mitigate the risks of GDPR?
Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-
1. Identifying what
personal data is held (which can be as simple as an individual's name or email
address), who has access to it and where it is stored. This could include
in-house servers, cloud services, portable devices such as laptops, tablets and
smartphones or removable media such as USB sticks.
2. Identifying
threats to this data, which could include things like cyber crime, accidental
loss by employees, deliberate theft by employees, industrial espionage, lost
devices and unauthorised access to data. Whilst most businesses have some
policies and technologies in place to protect them against these sorts of
threats, we often find that these were implemented several years ago, and with
the fast moving nature of security threats, they are no longer fully effective.
In addition many companies have a piecemeal approach of different technology
solutions each designed to cover a specific security threat, but no "joined
up" solution to make sure nothing falls between the cracks.
3. Investing in and
implementing the right technology to deal with insider and external threats to
data. These days such a solution needs to include:-
·
Virus protection
·
Malware
protection
·
Ransomware
protection
·
A system for
applying operating system and application security updates to servers, PCs and
laptops promptly.
·
Email filtering
·
Constantly
updated firewall protection
·
Encryption of
data in transit
·
Data loss/leakage
prevention technology
·
The ability to
remotely wipe data from any user device that is lost or stolen
·
A certified
system for securely wiping old servers and PCs prior to disposal
·
Strong passwords
or two factor authentication
·
Regular
penetration testing
·
24/7 monitoring
against threats
5.
Putting in place
processes for ongoing user education for all members of staff around cyber
security and data protection.
6.
And finally, for
the worst case scenario, creating a breach notification plan, which will
typically involve the Board, IT, PR, sales, marketing and HR to ensure that any
breach could be communicated smoothly, accurately and with as little damage to
the business as possible.
No comments:
Post a Comment