Posted 17th April 2020
The high-level security issues concerning threats and attacks over online transactions are always present. Are businesses truly aware of the responsibilities they have for customers?
The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018, and it is vital for businesses to be compliant.
The GDPR is the biggest change in information security legislation since the Data Protection Act of 1998, and is part of an EU policy that aims to make companies accountable for the security of the data they hold, and enforce serious fines if they do not measure up to the new standards of responsibility.
The legislation gives comprehensive oversight on all data-related issues, and affects almost every business that deals with customer and personal data on any level ensuring that data will be handled with transparency, competency and accountability.
Customers and clients should be able to easily find out what data companies hold about them, how they use it, how they protect it, why they need it and who they might share it with. The legislation recognises the value of data, both in terms of personal privacy, and data as a resource which can be bought and traded.
The GDPR ensures that data is;
Collected legally with explicit consent for terms of usage and sharing.
Stored and processed safely and with limited retention.
Data is protected against breaches, and that any data breaches are reported immediately and contained responsibly.
People are often careless to undermine security measures taken by most business online. For instance, they find security processes to be frustrating and time-consuming because we often expect convenience and speed.
What happens if you aren’t compliant?
If your company fails to comply with the GDPR you could be at risk of huge fines up to €20 million or 4% of global turnover (whichever is greater).
Assess where you are now, and how much work you will have to do to get your company in line.
You must begin by asking some questions about how you get your data:
What consent to do receive when you collect personal data from your customers and clients?
How long can you hold the data?
Can you share it? If so, with whom?
How do you use the data?
For marketing uses, both B2B and B2C, email and SMS recipients must now be explicitly opted-in. For profiling purposes, you need explicit consent, and to make it very clear how profiling will take place and what automated decisions you make based on the profiled criteria.
Storing and Processing Data
You need to conduct a risk assessment of how data is used and how it moves about your company, evaluating:
Where is data held? Where is it sent around your company?
Who has access to the data? What level of skills, clearance and training do they have?
How sensitive is the data (personal, sensitive, anonymous)?
What 3rd parties is the data shared with? How is it transferred?
What agreements and contracts do you have with data processors and CSPs?
Where are your Cloud servers? What is your Cloud security like? What encryption is used? Does it include mobile devices?
How secure is your technology? Are there adequate firewalls and virus protections?
Is there a clear password policy? Is it enforced?
What do you do with your data when you aren’t using it? What are your data elimination policies?
Who is responsible for answering these questions?
The GDPR centres around responsibility and accountable dealings with data, and you must have someone in your organisation who is responsible for issues of compliance and data security, this will be your Data Protection Officer or, for smaller companies, you can use consultancies to outsource this responsibility.
A Data Protection Officer is required in companies where:
The data processing is carried out by a public body, except for courts operating in their judicial capacity. The ‘core activities’ of the data controller include ‘regular and systemic monitoring of data subjects on a large scale’. You also need to ensure that all your staff understand your Data Safety Procedures.
Repairing and Reporting Data Breaches
You must be able to prove you have done everything within your power to reasonably protect against breaches, but if one does occur, whether it is due to a hacker, inadequate security or human error you must have a procedure in place to deal with it.
You should have good information governance procedures, meaning that you know what data you hold, so should some of it be leaked, you know how bad a situation you are dealing with.
If a breach happens you must inform your staff, your customers (whose data has been affected) and the Information Commissioner’s Office (and/or the data protection body of any other EU country whose citizens it affects).
You also need to have in place a good Breach Management Process that all your staff are aware of, in order to minimise the damage caused. The ICO will impose more severe penalties on organisations that have inadequate breach management processes as this will be seen as a systems and control failure.
This may not be an exhaustive preparation list, but if you haven’t already assessed your position and vulnerabilities you should be able to start and get things in order now.
Learn how E-Sign could improve your data compliance with regards to the GDPR, give us a call visit the website e-sign.co.uk or email firstname.lastname@example.org.
For information on GDPR, please visit: