How IT Solutions Can Help Your Business Achieve Compliance

What is GDPR

The General Data Protection Regulation (GDPR) is a new EU legislation which comes in to force in May 2018. It replaces the 1998 Data Protection Act, and is applicable to any organisation who holds data on EU citizens. Despite Brexit, the UK will be implementing the GDPR. As a result of GDPR, many organisations will have to review the way they collect, store and use personal data. Personal data includes information such as a person’s name, email addresses (both personal and at work), contact telephone number, CV and bank account details. Personal data can be held for people both inside and outside of your organisation. In the UK, the Information Commissioners Office (ICO) will be the watchdog for GDPR. Under the GDPR, the ICO will have new powers to issue fines. Fines will range from 4% of global revenue or up to €20 million – whichever is larger. In Oct 2016, the ICO issued a fine of £400,000 to Talk Talk for their 2015 data breach. Under the GDPR 4% global revenue rule, that fine would total £72 million. Under the regulation, organisations must report all data breaches to the ICO within 72 hours. Failure to do so will result in a further fine. As well as being costly, a breach can also damage your company’s reputation. A data breach may result from a number of activities such as a lost laptop, accidental email sent with data attached, a malicious data leak from a disgruntled employee or via an external hack by cyber criminals. In the event of a data breach, if you can show that personal data was encrypted, the likelihood of being fined as a result of the breach is greatly reduced.

Read Blog

Areas of Your Business Effected by GDPR

Data you already hold: This will have to be audited to ensure it was correctly gathered and is being stored and used appropriately, or else removed.

Gathering new data: You will need to ensure that a framework is in place to ensure this is done correctly from now on.

Proof of compliance: you will need full audit trails of the source of all data currently been held, whether from third parties, incoming enquiries or your own sales force.

Existing privacy statements: these will need to be revised, and are likely to require updating to ensure compliance

Preparing for the GDPR - 12 Steps to Take

• Awareness
• Information You Hold
• Communicating Privacy Information
• Individuals Rights
• Subject Access Requests
• Legal Basis for Processing Personal Data
• Consent
• Children
• Data Breaches
• Data Protection by Design and Data Protection Impact Assessments
• Data Protection Officers
• International

Learn More

GDPR - How Information Technology Can Help

Information Technology Strategies can be extremely effective when preparing for GDPR:

• Digital Audits can help your organisation to determine what data you already have and where data is stored.

• Managing your IT environment can allow your organisation to control access rights, which determine who has access to data and who doesn’t. This means that only the right people can access and use personal information, which demonstrates strong data control and reduces the likelihood of an accidental breach or malicious leak.

• Securing your organisation from outside threats will become even more important with the implementation of GDPR. A combination of Firewalls, Anti-Virus filtering, Anti Malware filtering and Web Vulnerability Management will keep your business safe from the threat of hackers and cyber criminals who may steal and expose personal records.

• As well as securing your organisation from outside threats, encrypting data is widely agreed to be the best security measure available. Encrypted data cannot be accessed or read without the encryption key, meaning that if data is taken without authorisation, it cannot be accessed or read by a third party. Leading IT Security vendor Sophos state that “If you can show that data was encrypted, the likelihood of being fined as a result of a breach, under GDPR, should be greatly reduced.”

• Maintaining an Audit System – By maintaining a strong audit trail, in the event of a breach, your organisation will be able to demonstrate accountability. By having a record of all file rights, which shows access rights, as well as a detailed encryption history for your data records, you will be in a much stronger position when reporting the breach.

• Having comprehensive backup and Disaster Recovery strategies in place can also help your organisation recover in the event of a malicious attack.

Disclaimer: At Stack Group, we are IT Professionals. However, we are not legally trained, and would therefore recommend that you and your organisation consult your legal processes before making any changes to ensure 100% compliance with GDPR.