GDPR - Huge fines

GDPR – Why should every business in the UK treat it seriously?

GDPR – What has it got to do with my business?

When I first read about the new General Data Protection Regulation (GDPR), due in May 2018, I was somewhat bemused. Apart from a few headline cases the current regulations don’t seem heavily policed. The Information Commissioner’s Office is a small dept and so how are they to police 4.5m businesses?

Once you start to get into the detail you start to realise it’s not about who you can email but more about protecting sensitive personal data. So I was wondering how the often quoted fines of up to €20m or 4% of group annual global turnover will be applied.

On further reading, GDPR puts the onus on the business to report a data breach. You have 72 hours in which to do it! I doubt many of the UKs small and medium sized businesses have the ability to do that. This means if you have a breach and they don’t know it but the breach is subsequently identified by a third party then they will probably be in double jeopardy.

This article isn’t about how to comply with GDPR, there are firms setting themselves up to do that. With all the recently reported breaches, the rising threat of cyber attacks and the increasing digitisation of our lives then we do need to take GDPR seriously.

But what to do?

The Government launched a scheme in 2014 called Cyber Essentials. This is a Government sponsored accreditation scheme that you can bench mark the security of your systems against. It doesn’t cost very much to do the assessment. However, it will tell you what you need to do to be prepared for the increased threats.

By the way, I don’t think it is about technology. The largest breaches of loss of data are not down to external hackers but are internal. So most of the work in achieving accreditation are down to getting the right processes in place. It means better password management and having appropriate levels of access. You then need to train your staff and monitor compliance. Not an easy task in itself.

So having introduced technology in one shape or form or another over my lifetime, you have three things to manage. These are technology, people and processes. For the technology, just get the latest versions, keep it updated and work with a technology partner who will keep you updated. That’s the easy bit. The hard bit is getting your staff to comply with password changes, compliance (i.e. not taking personal data out of secure systems) and keeping HR policies in step with developments in technology.

Taking Action

Given the breadth and depth of GDPR I think there will be a lot more written about it. I personally think accreditation to Cyber Essentials will be the key to mitigating the risk of a breach.

To find out more to prepare for GDPR go to web site of the Information Commissioners Office

To download the questions that you need to be able to get Cyber Essentials Accreditation go to: Cyber Essentials Self-Assessment Questionnaire

Longer term, with increased demands to keep personal information up to date, I can see companies having to provide online access. This can be done through a web interface so that customers can manage their own data. It could be as we do now with an App, you authorise a company to access your personal data in an App like Facebook. This will be the data they are allowed to use. Whatever direction it does take, companies are going to have to get a lot better at managing personal information. Are you prepared?