3 Tips For Mitigating Data Protection Risk Following GDPR
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” – A statement from the European Commission
Among the new regulations are elements such as the right to be forgotten for individuals. Many elements of GDPR will help protect consumers from unwanted communications and approaches from organisations.
A couple of other changes to be aware of:
Consent age for data collection raised from 13 to 16
Data must be deleted if it is no longer held for a purpose
GDPR is good for business and IT teams as it brings standardisation to what was a messy and out of date group of policies and organisations. Bear in mind there are 28 member states, who up until now all had their own ideas on what data protection looked like and how it was handled. Making data handling & storage a colossal headache for many European organisations, who frequently cross borders with their business and data. The benefits of these changes will be felt amongst data protection offers across the globe no doubt.
Much is being made about the individual’s rights regarding how a company holds and uses data. Every company will collect masses of data on clients and individuals from employees to customers. Under GDPR you will be held more accountable than ever before, should your company suffer a breach in network security and data is leached, no longer can you try and keep quiet about it. Under the new regulations a company must notify the EU government of the breach with 72 hours of discovery.
Following the notification and resolution to the breach will be the inevitable investigation by the central European authority responsible for policing these new regulations. This is where things for IT really start to come into play. Most companies now are targeted at some level by cyber crime, some companies are specifically targeted for their IP and held to ransom, others are hit because of the rich and high value data held within their data center. In a recent blog, I spoke about the need for robust network and endpoint security combined with encryption to protect your company from the threat of these types of breaches. Now with GDPR signed off the truth is that 4% of total worldwide turnover could be the fine faced by your business, or 20 million Euros.
More than ever it is vital that your IT organisation takes a good hard look at data protection and handling policies and how you can best mitigate the fall out following a breach.
- Update All Data Protection Policies
This is part of GDPR, so for starters this will just help you get compliant as well as being a great exercise and opportunity to stress to the board the value in investing in data protection solutions, such as data encryption and archiving to data silo with an air gap.
- Test your vulnerabilities
You may have some tools in-house for testing your endpoint and network security. These tools are do their job, but they are nothing compared to the specialist organisations that exist to deliver the next generation level of penetration testing. When it comes to mitigating the risk of a hefty fine, being seen to have taken every precaution will score big brownie points.
- Look at your 3rd party suppliers
Are you backing up into an offsite location, or archiving to a cloud provider? If so what do you know about their business and how they keep your data secure, are they using encryption. It is your business that is responsible for the data it handles, ultimately you want to know that your outsource is going to do everything you need to protect your business too. Cloud providers such as Microsoft Azure invest heavily in data protection specialists, in all aspects. Being ISO 27018 Approved shows the dedication that you need to protect your cloud data.
These 3 tips are a good place to start in identifying where you may need to tighten up your data protection, making sure your board completely understand the importance of compliance to GDPR is now vital. Working with our partners and clients we have helped create and deliver secure hybrid and cloud infrastructures that also enable a business to take full advantage of all the different compute and mobility methods available to the modern enterprise.