How to ensure long-term compliance with GDPR
The General Data Protection Regulation (GDPR) has now been enforced, and household name businesses like Ticketmaster and British Airways could find themselves in hot water with the Information Commissioner’s Office (ICO) for potentially breaching GDPR in their recent data breaches.
An Enbrighten survey conducted around the time of the GDPR deadline found that over half of business owners are expecting to be financially penalised under GDPR.
In addition, only 35% of businesses are aware of the most severe fines – €20million or 4% of global turnover – whichever is higher.
But it doesn’t have to be this way. Rather than resigning yourself to receiving a fine from the ICO, you can take actions to ensure long-term compliance with GDPR. Here are some of the key areas you should be looking at:
Secure your sensitive digital data
As demonstrated by recent data breaches, in particular the British Airways hack, the most important step you need to take is securing the Personally Identifiable Information (PII) your business holds.
Many businesses assume they don’t hold much data, but every organisation will at least have PII data on their employees.
Some businesses, like those who use ERP and CRM solutions, will have a lot of customer information stored in their financial solutions like Dynamics 365. British Airways could be punished with a fine of around £500 million for not putting appropriate measures in place to protect its customers’ data.
What’s more, Heimdal Security researchers have concluded that hackers will target your data with more ferocity than ever under GDPR, holding you to ransom and extorting money in order to keep the data breach a secret from GDPR enforcer the ICO who, they’ll insist, will punish you with severe fines.
A single layer of defence isn’t enough in this epoch. 2017 was dubbed the ‘year of the cyber-attack’, so prolific were hacker-led data breaches, and 2018 shows no signs of letting up.
Should hackers get past your first line of defence, you still have protection in place. In terms of which security measures you should prioritise…
Encrypt your data
Encryption is one of the most powerful tools at your disposal when it comes to protecting your digitally-stored PII data. What’s more, it’s explicitly mentioned in the GDPR; and when the ICO throws you a bone like this, you should take it.
As detailed in the regulation, encryption technologies “render the data unintelligible to any person who is not authorised to access it”.
There’s a misconception that encryption technologies will disrupt users’ regular working practices through multiple authentications and logins, but sophisticated solutions will allow users who have access to files to open and work on them as usual.
Encryption can be enacted at a file, folder or device level so you can choose the level of security applied. Should an unauthorised user try to access your data – be it a hacker or an innocent bystander in the event of accidental data disclosure – it will be unreadable and inaccessible.
This protects you in cases of cyber-attacks and accidental or malicious disclosure by staff. And speaking of staff…
Ensure your workforce is cyber-aware
Thanks in part to the media frenzy currently surrounding high-profile data breaches, you’d think that hackers are primarily responsible. However, 30% of all data breaches are down to employee error according to data from Beazley.
What’s more, when your business falls victim to a cyber-attack, there’s a 90% chance that there was an employee error somewhere down the line – whether that’s losing a device or clicking on a malicious email link and unknowingly infecting your IT estate with malware like Ransomware.
You could spend all the money in the world on cyber-security solutions, but if your workforce isn’t aware of the cyberthreat landscape, it’s pointless. Education is absolutely critical to ensure your workforce is aware of the risks associated with data.
You can do this in a number of ways, from mandatory training to simulated phishing attacks, whereby you create a realistic-looking but fake email and test how well your staff can spot email-borne threats. If a member of staff falls for the attack, they are directed to training to ensure it doesn’t happen again.
Limit or ban removeable hardware
Heathrow Airport hit the headlines last year for narrowly avoiding an unintentional data breach when an employee transferred sensitive information onto a USB stick, took it out of work and lost it.
The airport was lucky that the stick was handed in by a thoughtful member of the public and not picked up by someone with more nefarious intentions.
Bring Your Own Device (BYOD) policies and the increasing number of portable devices afforded to staff members increase the risk of lost or stolen devices.
You can combat this risk by implementing a removeable device policy that restricts devices to those who need them with the stipulation that they must be encrypted and registered. Alternatively, you could ban them entirely.
Some action is more important than no action
If you still feel underprepared for GDPR despite the past deadline, this is the most important advice you should heed. The GDPR requires businesses to put in place “appropriate measures” to secure the PII data that they hold.
Data breaches could still occur even if you put in place the most robust security solutions available, because hackers are getting cleverer and more sophisticated. The ICO won’t punish every business that experiences a data breach.
The ICO will, however, punish businesses that didn’t do anything to protect their data in light of GDPR. If your business experiences a data breach – deliberate or accidental – you must report it to the ICO and prove that you put those “appropriate measures” in place; that is more important to the ICO.
It’s also important to not panic. The ICO has stressed that it isn’t looking to make an example out of businesses that do fall victim to a breach. Rather, it wants businesses to be considerate about the sensitive data that they hold to protect the consumer.