With just a few months to go until GDPR comes into force, there are signs that not every company is prepared to meet the new, tighter data regulations.
In fact, research from Trend Micro shows an alarming degree of under-preparedness from a large number of organisations.
GDPR may build on existing data regulations, but the new law goes further to protect individuals, and includes provisions for larger penalties for organisations that fail to protect user data.
This means that organisations cannot simply sleepwalk into the GDPR regime and hope their existing data management practices are adequate. Maximum fines have ballooned from £50,000 under the DPA (the current legislation) to €20m or 4% of a group's worldwide turnover (whichever is greater). If the old fines were troubling, the new fines are potentially crippling – enough to sink many organisations in a heartbeat.
Complacency towards GDPR may suddenly change if an organisation is hit with a record-breaking fine. This may be the case, but no organisation can afford to be the example that sets everyone straight.
"As often happens with regulation, it's going to take a whipping boy to understand the gravity of the situation for most organisations. One high-profile case of a company handing money over for non-compliance under the GDPR will be the required wake-up call the rest of the industry needs to get their act together." – Rik Ferguson, Trend Micro
Time is slipping away, but it's not too late to start preparing for GDPR! The first step, of course, is to understand what is required from you. You will also need to know exactly what data you hold, and why you have the right to keep it. You will also need to be able to explain how you acquired the data, how you process it, who has access, and how you keep it secure.
You must consider how data enters your organisation and how it exits, and the security implications of every interaction. You are also responsible for third parties that help you manage, process, or use data, so you will need to review your contracts to ensure that data security responsibilities are clearly defined for all parties.
Another cornerstone of GDPR is the duty to declare data breaches within 72 hours of discovery. Everyone in your organisation needs to know this, and they need to understand the protocol for reporting suspected breaches.
GDPR also requires organisations to have sufficient security technology in place, relative to the risks faced. The more data you hold, and the more sensitive its nature, the greater your security practices should be. Are you prepared to demonstrate how you deter/detect intruders on your network? Or how you identify unusual activity or downloads? Is your encryption infrastructure up-to-date?
Shockingly, Trend Micro's survey revealed a surprising lack of awareness about what 'data' even means in the context of GDPR:
- 56% of businesses didn't know that email marketing data is personal information
- 79% didn't think that a customer's date of birth is personal information
- 29% didn't know they need to protect a customer's postal address
If this many organisations don't know what personal data means, how can they be protecting it adequately?
Perhaps some organisations are hoping that GDPR will fall by the wayside as Brexit bites. This is an unlikely scenario, because even if the UK government had any appetite for scrapping GDPR, any organisation that trades with the EU would still need to meet the GDPR's standards. Additionally, Britain was one of the great driving forces behind the new legislation and is unlikely to alter course on this.
Rather than resist the inevitable, it's time to get on board with GDPR. To start building products, services and companies that offer the famous 'privacy by design' ethos, rather than as an afterthought or nagging concern.
We're here to help you understand precisely what GDPR means for you and your organisation, and how to build an accountability culture where everybody understands their responsibilities when it comes to processing and storing personal data in-line with the law.
Our brand new course, 'Protecting Data', will help companies based in the EU, and those that deal with the data of individuals based in the EU, comply with GDPR. The course covers three topics: data and the new law, the principles, rights, and obligations of GDPR; and GDPR breaches. Learners can test their knowledge at the end of these three modules to see what they have learnt about GDPR and their responsibilities.
How GDPR-ready is your organisation?