A three-step approach to help meet EU GDPR compliance
The European Union General Data Protection Regulation (EU GDPR) will be enforced from the 25th May 2018. With less than 12 months until the new legislation becomes law, organisations are struggling to get to grips with what has been hailed as a new era for personal data security. The reforms will require every business in the UK to look at how it handles personal or sensitive data and where necessary invest in new systems and processes to ensure compliance. The penalties for failing to comply will be considerable. Under the new laws, all businesses will be mandated to notify the national regulator of a data breach within 72 hours, when an individual’s rights and freedoms have been compromised. Businesses will also be required to explain in detail the cause, scale and anticipated impact of the breach. This will include demonstrating an adequate investment in the protection of personal data through process, procedure and technology. Furthermore, if an organisation is found to have failed in its duty to protect personal data, anticipated fines could be as much as 4% of annual turnover or €20m (whichever is higher). Data Subjects are also entitled to bring their own legal action against an organisation, with no cap to the potential fines.
To get to grips with the EU GDPR, we have composed for you a three-step approach to help meet the new compliance laws:
1. Data audit
Before any organisation invests in new systems and/or procedures, they need to understand how they store and handle any personal data. If data is stored internally, are processes in place to effectively manage and protect it? If data is stored externally, has the supply chain been audited to understand where the data resides? Organisations also need to consider the security certifications of their hosting providers, as well as contractual terms and service level agreements.
2. Control and reporting
Often, data is most vulnerable at the point it is shared. This could be the result of an email being sent to the wrong recipient, or data being shared via a third-party collaboration website. GDPR will require organisations to be able to demonstrate they have put in place the necessary technology and training to protect shared information. This should include policies that can automatically apply encryption, so that regardless of a breach, the underlying data remains secured.
Businesses should also evaluate their audit and reporting capabilities to ascertain whether they could respond to a breach within 72 hours, and how they will manage other demands, such as Freedom of Information requests or Subject Access Requests.
3. A future proofed approach
Technology decisions made today need to consider potential changes in the future. Chosen technology providers need to demonstrate a high degree of product flexibility. With the majority of businesses expected to transition to Microsoft Office 365, or similar cloud-based platforms in the next 2 - 5 years, can the chosen provider offer the required levels of integration, assurance and security in the cloud? Also, do they have the necessary independent security certifications, such as ISO 27001?
With the date fast approaching, we believe now more than ever it is important for you to start the security investment process to ensure compliance with the EU GDPR. If you would like more information on this topic, please don’t hesitate to get in contact with us.