New legislation and changes to regulations such as the General Data Protection Regulation (GDPR) can be extremely daunting for both public and private sector organisations. One of the principal reasons for this is that many of these don't always have the necessary manpower and/or expertise, making the task in hand feel onerous.
However, there is good reason to ensure that we comply. Take the recent global ransomware attack, WannaCry; policies and practices must be in place to not only comply with regulation, but also to protect our businesses and our customers. WannaCry has infected numerous computers in more than 150 countries so far, including at least 16 organisations affiliated with the NHS, wreaking havoc for hospitals and patients alike.
This attack is a timely reminder of the inherent vulnerabilities of the Internet and stark evidence that many of the technologies on which we have come to rely are not always as resilient as we would like to think, highlighting why robust information security is so important. The most basic of practices like backing up data, updating software and repeating these activities routinely, might have prevented these organisations from falling victim.
Protecting such data has long been an obligation of all organisations and the Data Protection Act has provided the legislative core for protecting the associated rights of citizens in the UK for the last few decades. Yet, in the absence of an identifiable data breach, how easy or otherwise is it to test for widespread compliance? With the advent of GDPR, the stakes are about to get higher and pressure is on organisations to get things in order.
The good news is that the introduction of GDPR will clear up most of the complexity around understanding the various local data protection regulations in Europe. GDPR is preparing for a new era now defined by cloud, mobile, social, big data and an increased exchange of data across national borders. It affects all companies that process the personal data of EU-citizens and this also extends to companies that process data of EU citizens without having a physical presence in the EU.
Despite the proliferation of articles covering GDPR and the fact that the GDPR is only less than 12 months away, it would appear that many organisations are still not prepared or indeed preparing. According to a recent survey by IDC of 700 European companies of various sizes, almost 80% of IT decision-makers have a poor understanding of GDPR's impact of or have not even heard of it. Of the 20% surveyed who said they were aware of GDPR, only 20% said that they already meet the new requirements.
It feels like one of those scenarios where, the hardest part is getting started. Although GDPR builds on the existing Data Protection Act, it's a sizable piece of legislation. But with closer regulatory oversight anticipated, especially on the SME community, it's important to get going now.
For most organisations, there's a good chance that many of the underlying processes will already be in place, so the route to compliance may be shorter than anticipated. The key is to ensure that, you know what you need to do in order to prepare and that you give yourself adequate time and resources to ensure that you do this properly.
Here are a few steps to help with your planning for GDPR:
1. Raise awareness - make sure that decision makers understand the reasons for compliance and what the journey to compliance involves.
2. Brief staff on the changes they can expect to the way they work and handle personal data.
3. Perform a data audit and a risk assessment to ensure an effective security policy is implemented.
4. Communicate clearly to data subjects -all data subjects should be made aware in clear language that their personal data is being collected, for what purpose, and how long it will be stored.
5. Consider the purpose of data collection and think about how data is deleted.
6. Understand data subject rights - they have the right to request access to data related to them that an organisation may be storing or processing.
7. Provide data subjects with the means to move their personal data away - this is a new and unexplored requirement and a common framework needs to be established.
8. Conduct a data protection impact assessment - especially in scenarios where data processing is likely to result in a high level risk to the data subject rights.
9. The confidentiality, integrity and availability of data processing systems must be guaranteed and documented.
10. Overall ensure you have effective policies and technology in place to limit your risk exposure.
It may feel as though there are priorities other than GDPR right now, but May 2018 will come round very quickly and the consequences for getting it wrong will be exponentially more severe. Transgressors will face considerable fines which act as a large incentive in itself, but as the UK's Information Commissioner has recently commented: "The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data - much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information." Therefore, it is in the best interests of businesses to ensure they get their act together when it comes to the new legislation.