GDPR is now in full effect, following two years of headlines shouting about severe fines – €20 million or 4% of global turnover, whichever is higher. Many businesses, however, don’t consider themselves prepared despite the past deadline; 60% of businesses state they are not “GDPR ready”, according to a Populus survey.
The good news is that GDPR compliance is more of a long-term project as opposed to something that was deemed complete on 25th May 2018. Here are some key areas for consideration if you’re still not fully compliant.
Some action is more important than no action
If you’re worried about being late to the GDPR party, don’t. The GDPR requires businesses to put in place “appropriate measures” to secure the PII data that they hold. Data breaches could still occur even if you put in place the most robust security solutions available, because hackers are getting cleverer and more sophisticated. The ICO won’t punish every business that experiences a data breach.
What you’re more likely to get penalized for is not taking any action. If your business experiences a data breach – deliberate or accidental – you must report it to the ICO and prove that you put those “appropriate measures” in place; this is more important to the ICO.
Train your workforce
Data breaches conjure up images of shady hackers and computer meltdowns. However, 30% of all data breaches are down to employee error, according to Beazley. What’s more, when your business falls victim to a cyberattack, there’s a 90% chance that there was an employee error somewhere down the line – whether that’s losing a device or clicking on a malicious email link and unknowingly infecting your IT estate with malware like ransomware.
Even with powerful cybersecurity measures in place, employees are still a weak link in your line of defense. Education is critical to ensure your workforce is aware of the risks associated with data. You can do this in a number of ways, from mandatory training to simulated phishing attacks, whereby you create a realistic-looking but fake email and test how well your staff can spot email-borne threats. If a member of staff falls for the attack, they are directed to training to ensure it doesn’t happen again.
Implement removable device policies
Thanks to their proliferation and portability, removable storage devices can make GDPR compliance seem almost unmanageable. Bring Your Own Device (BYOD) policies and the increasing number of portable devices afforded to staff members (all colleagues at TSG work on laptops rather than desktop PCs) increase the risk of lost or stolen devices.
As a business, you should strongly consider implementing a removable storage policy which follows best practice guidelines around portable devices. You could choose to disallow personal storage devices or add any removable device to your Asset Register and encrypt them. This allows you to track all devices should one be lost or stolen, and follows the GDPR guidelines of encryption.
Appoint a Data Protection Officer
Many businesses know the role of the Data Protection Officer under GDPR, but few know that it could be in a number of different capacities. The most important element is that you should appoint a DPO in some capacity, but it does not necessarily need to be a new hire, which will be a relief to small business owners.
If you have an existing staff member whose job role aligns with the responsibilities of the DPO, you can appoint them the DPO role. Additionally, the role can be part-time, outsourced or shared with another business if there isn’t the budget or – more importantly – the requirement for a full-time DPO.
The Article 29 Data Protection Working Party has advised businesses to assume they require a DPO unless they can prove otherwise.
The highest fines are unlikely to be implemented
Naturally, the most-publicized fines of €20 million or 4% of global turnovers have struck fear into the hearts of business owners – particularly those at small businesses and start-ups. And while it’s true that the ICO will have the power to impose these fines, the Commissioner has already stated that business will not be used as an example. It’s only in the most severe cases, with multiple serious breaches, that the ICO would consider the highest penalties.
The ICO will most likely implement higher penalties for businesses that choose to ignore the GDPR, rather than businesses who experience breaches. If you’ve implemented no security measures in the face of GDPR, this is considered a bigger breach of the regulation than any data leak. A point worth remembering.
The GDPR isn’t designed to catch businesses out. Its purpose is to empower consumers and give them more control over their own data. Compliance is a journey, rather than a project that you could mark as completed on 25th May 2018.