Regardless of the effects of Brexit, UK SMEs and large organisations alike that process data regarding EU individuals will be subject to the General Data Protection (GDPR)
‘Processing’ of data refers to obtaining, disclosing, recording, holding, using, deleting or destroying personal information – essentially, whatever you do with information digitally inside your company.
A wider reach than ever
The territorial reach of the GDPR is considerably broader than the UK's current Data Protection Act. You can be subject to the GDPR if: –
The GDPR is subjective; it’s about the data not the Company. It’s about whether the data you handle concerns individuals residing in the EU, not whether your organisation is in the EU. Indeed, even monitoring the behaviour of an EU individual, through implementing website cookies on your site, for example, can make you liable to the GDPR.
And with monitoring features like cookies now more or less ubiquitous, companies that offer a digital service like a web app, platform or website (which is more or, less every company) accessible by EU individuals must comply with the GDPR by 2018. The new regulation also voids the distinction between personal and business addresses. A marketing email that identifies a person (firstname.lastname@example.org, for instance) will require consent, and it is up to the sender to prove that consent was given. Whether your business is B2C or B2B, the incoming changes will most likely affect you.
Ill-prepared for change
When the GDPR was first proposed in 2015, just 1% of cloud service providers were prepared for the changes.
Supplierts had significant issues around new regulatory requirements from data breach detection to encryption and data deletion policies.
Now that the GDPR has a form start date, these issues must be rectified.
The GDPR is casting a much wider net when it comes to the collection, storage and use of EU citizens’ personal data. As such, you need to be more vigilant than ever when it comes to data protection. The following are five areas of focus when it comes to data protection best practice.
1. Secure the Cloud
Processing data in the cloud presents a risk. The personal data which you are responsible for is not located in the known confines of your on-premises network, but instead processed in systems managed by your cloud provider. You therefore need to assess the security measures your cloud provider has in place to ensure they are appropriate.
2. Understand what you have
Given just how much data we now generate, part of keeping it secure involves understanding which information is and isn’t valuable to your company.
- Necessary: ensure you only collect the most necessary information, as systems can quickly get overcrowded. Usage logs can help you identify content that is no longer being used.
- Secure: it is your legal obligation to keep customer information secure. Data encryption and user training are vital parts to this you can’t afford employees unintentionally sharing information they shouldn’t.
- Readily available: under the GDPR, an individual can ask if your organisation holds any personal information about them, known as a ‘subject access request’. In this case, you must reply within 40 days. Make sure that your staff can recognize subject access requests and quickly find the relevant information.
3. Staff Training
Whether intentional or not, it’s common for employees to be the main contributors to data breaches. Accidental disclosure and human error, from sending an email to the wrong recipient, to opening an attachment with malware are the main causes for breaches in personal data, according to the UK’s Information Commissioner’s Office (ICO).
By ensuring your employees acknowledge and understand their roles and responsibilities, you can greatly improve data protection across your organisation. Train your staff to make sure they understand the right and wrong places to share information regarding the company or customers.
4. The right to retain
It is good practice to review and refine the length of time you keep personal data. Ensuring that any personal data is disposed of when no longer needed will greatly reduce the risk that it will become out of date, irrelevant or inaccurate. Always consider the purpose for which you re holding information, whether that purposes should constitute keeping hold of the information. Information that is out of date should be updated, but if it is no longer needed for this purpose, it should be securely archived or deleted.
5. Audit your activity
Unaware or inexperienced Users are more prone to mistakes when it comes to keeping content secure. Running audit logs are a great way to keep on top of Company content, where it’s going and who it is accessed by. By monitoring your systems and services, you can be alerted to any suspicious behaviour or activity. So, make sure this is the case in your organisation, ensure you can check what software or services are running on your network and make sure you can identify when there is something there which should be.
With only a year to ensure your business is fully compliant, do you have enough time.
Contact Amshire today on 0330 2020 340 to find out if your Company is GDPR-ready