The battle of the breaches…
Despite leaving the EU this year, the UK is still required to remain compliant in regards to GDPR regulations. Although being brought into play a few years ago, GDPR is still something that many small & medium businesses are failing to get to grips with.
Making sure data is behind at least one wall of protection (a password, or encryption) is paramount and a bare minimum. Just like Cybersecurity, GDPR breaches often occur due to lack of judgement or human error. Treating data as though it were platinum is important, as when standards slip and people get lax, breaches tend to occur more often than not. When sending data outside of your business, making sure that your data is correct, accurate and quantifiable will prevent both embarrassment and potential insidious consequences. Firstly, the fact that data has been contaminated by being incorrect is a major disappointment, but the fact that you’ve sent somebody elses data without permission is more grave.
Getting to a compliant stage can take time and patience to implement. If you are unsure on where to begin, having a discussion, sooner rather than later, is a good first step. Audit your data estate to make sure that the different areas of your business that contain sensitive data are secure and compliant. Additionally, you will need to continually maintain and manage your data, ensuring that you have a business process is in place so that you can confidently handle and remove data if necessary.
The GDPR (General Data Protection Regulation) sets a maximum fine of up to €20 million or, in the case of a breach, 4% of annual global turnover – whichever is greater – for infringements. Some high profile companies such as British Airways have fallen afoul of GDPR and literally paid the price. Luckily for them, they’re a large enough company to be able to take the financial hit. For smaller enterprises however, a GDPR breach (and potential subsequent fine) could spell annihilation for it’s future existence. Regardless of this, many people still do not take GDPR seriously. Just one slip up could spell disaster, so it’s in your best interests to prepare your business properly so that you are compliant!
If a breach does occur, you are required by law to inform any affected clients as well as the data controller (if you have one) within 72 hours. Failure to report a breach within this timeframe will end up with fines being imposed on you. Again, readiness is key here to not only be compliant, but to be able to react in unwanted situations. Your ability to respond amicably and efficiently in breach-related situations is vital to ensure that you follow GDPR guidelines correctly and save any further blushes. Also in the case of a data breach, you must report it to the ICO (Information commissioner’s office).
One additional important aspect of GDPR is the access rights that clients have to retrieve and view their data, as well as it’s use when you handle data that relates to them. You need to make sure that you are able to provide this, if requested. Just like when a breach occurs, your reaction time needs to be top class.
Businesses of certain sizes will require a DPO (Data Protection Officer). Other dependencies include how you handle data, it’s quantity and your existing processes. What does a DPO do? According to the ICO: “DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.” Lot’s of Alphabet soup to decipher here, but ultimately a DPO will help maintain your compliance levels and generally make sure you are functioning with GDPR guidelines.
Coming with the territory, as a business you will need to be ready for the worst case scenario. The best way to remain compliant is to utilise technologies that are compliant themselves, as well as making sure users are educated and aware of the GDPR basics, to prevent your house of cards to come tumbling down. This plays into the realm of Cybersecurity, as just like falling victim to phishing attacks, it’s important to educate your users in the red flags to look out for when you handle data.
Want to learn more about GDPR? Head to our online platform, BCS Education, where you can access our online courses around GDPR and a variety of other topics. Our Learning Zone is a great environment to hone your skills. Contact us on 01843 572600 to find out more.