Many organisations seem to think that compliance with the EU’s General Data Protection Regulation (GDPR) is simply about the right wording on their privacy policy, a cookie consent plug-in for the web site and getting explicit consent from their marketing mailing list.

However, the point of the General Data Protection Regulation is data protection and data privacy.

If your organisation suffers a data breach, your affected customers, suppliers and employees won’t care how well-crafted your privacy policy is or whether you can show a report that ‘proves’ that everyone on your list really clicked ‘yes’ on your opt-in form.

If you haven’t implemented basic security measures to protect the personal data you are supposed to be looking after, don’t expect the regulator to cut you any slack because your website allows you to opt out of cookies.

If you really care about data privacy – and you want to keep on the right side of the law – here are five practical steps that organisations of all sizes can take to actually do something about keeping data safe and secure:

1 – Train your staff

Your employees are your greatest asset when it comes to data protection – and your biggest liability.

Training and education should be the number one priority in your security plan.

Everyone should know:

  • what personal data is and how to keep it private.
  • what the key components of the GDPR are and what rights are conferred on a data subject. Remind employees that they are data subjects too.
  • what your organisation is permitted to do with personal data and any limitations on processing.
  • how to deal with Subject Access Requests. You should have clear procedures for these so that they can be recorded and processed in a timely manner.
  • how to report any accidental or deliberate loss, unauthorised access or deletion of personal data.

Training and education in data privacy and security should be mandatory for everyone at all levels – including senior management.

While larger organisations may have a training department and substantial resources, there are still plenty of options available to smaller companies.

There are lots of classroom and online training courses and many free videos explaining GDPR and the rights it confers on data subject together with the responsibilities it imposes on data controllers and data processors.

You can see a selection of training and awareness videos in the video section on this site. You can even use services like Moovly to create your own branded GDPR training video using their free GDPR awareness video as a starting point.

Short video content like this is a good way to communicate a topic that can be difficult to get employees excited about!

2 – Review your data

Know what personal data you are holding, where it is and who has access to it.

If you don’t know this, you won’t be in a position to do anything about controlling and securing data and providing access to those who need it.

3 – Review your backup procedures

Make sure you have robust backup systems in place – and test them frequently.

This is vital for all business critical data, not just personal data.

4 – Delete anything you don’t need

If you are holding any personal data that isn’t required for your processing activities or a legal requirement, delete it.

The same principle should apply to all data – if you don’t need it, don’t waste resources storing it and managing it.

5 – Implement some basic security measures

No-one expects organisations of all types and sizes to have world-class security, but you should take some common sense steps to make sure you have appropriate security for the type and volume of personal data you are storing and/or processing.

This might include:

• Encrypting data
• Monitoring access to directories and files that contain personal data
• Enforcing complex passwords
• Frequently forcing users to change passwords
• Using two factor authentication for logons
• Managing mobile devices
• Not using email for communicating personal information
• Enforcing data protection and security policies
• Making sure everyone in the organisation knows how to handle personal data
• Regularly testing your security procedures

This list isn’t comprehensive and you might need to take additional security steps if you are dealing with large quantities of data and/or sensitive personal data.

Every business will have different security requirements based on the type and quantity of data stored and processed and the potential impact on data subjects that a data breach would entail.

A large bank will have more robust security measures in place than a typical small retailer (one would hope!). Hospitals and other medical facilities that are holding sensitive personal data will have different risks and responsibilities than, for example, a small construction firm.

Real Security is the best route to GDPR compliance

For most commercial organisations holding typical details of customers, suppliers and employees, if you implement the above measures, you’ll be well on the way to ensuring that you won’t fall victim to data breaches.

And if the worst does happen, at least you will be able to demonstrate to the regulator that you did more to comply with GDPR than simply ticking boxes and giving the outward appearance of compliance.

It’s much more important to be doing something practical about data security than wondering how best to tell stakeholders how much you value their privacy!

Getting the basics right now doesn’t have to be expensive and you can save endless amounts of grief and much greater costs further down the line by having the right systems in place to keep your data secure. When it comes to data security, an ounce of prevention really is worth a pound of cure.

If you want to speak to an expert about a practical path to protecting your data and really complying with GDPR and other privacy legislation – without compromising your commercial objectives – fill in the form on the right to arrange a no-obligation call or email gdpr@portalpages.info

 

Resources:

General Data Protection Regulation

Verizon Data Breach Report

IBM/Ponemon Cost of Data Breach Study

Intel/McAfee Data exfiltration study

Ipswitch Insider Threats and their impact on Data Security

 

 

Need to speak to an expert about data privacy and protection?

 

Need help with your compliance strategy for GDPR and other data protection legislation?

 

Complete the enquiry form to arrange a no-obligation call to see if we can help.