This month marks one year until GDPR finally comes into effect, and in the coming months, many businesses will be finalising, or perhaps even beginning, preparations for their overall data protection strategy. Though current legislation, such as the Data Protection Act of 1998, provides a starting point for safeguarding data, these new regulations will require businesses to ramp up security to a greater extent.
Guidelines around how to prepare remain ambiguous for now, with little official literature available, making groundings for compliance complex. And while many think Brexit will shelter businesses from the new EU data rules, this simply isn’t the case.
The fact of the matter is that GDPR will still apply to UK companies that deal with the EU, regardless of the UK’s status outside European Union. As such, many businesses will still need to prepare for the change, educating themselves fully on the new compliance laws that will have huge impact on the IT landscape.
Data breaches are going to be a huge area for GDPR compliance in the future. For the majority of 2016 and a huge part of this year so far, cyber attacks have constantly hit the headlines. Scandals such as the Yahoo hack last year – which put over one billion customer details at risk globally –as well as the Wonga data breach here in the UK this April have become infamous examples of organisations employing sub-par security measures when storing personal or corporate information.
As part of GDPR, companies will now be subject to much stricter rules with regard to protecting consumer data. It has also widened the classification of ‘personal data’, meaning more organisations are affected by GDPR than the Data Protection Act.
With the new laws, companies will be required to share details of cyber attacks where data is compromised, and any organisation that does not report a breach within 72 hours of detection will be subject to hefty fines – up to 4 per cent of annual global turnover or £17 million, which ever is highest.
This new layer of transparency will mean that the full extent of breaches, including data compromised and the parties concerned, will need to be disclosed in a timely manner to both regulatory bodies and the public. These new rules require businesses of all sizes to re-evaluate their data protection and determine the most effective method for their business.
In order to develop a more flexible approach to data protection, businesses need to focus their efforts on protecting against three key categories of security risk: people, technology, and operations.
The human factor – still the weakest security link
According to a report this February by the UK Information Commissioner’s Office (ICO), human error accounted for the largest proportion of security incidents in the last quarter of 2016. This demonstrates that people are (and have been) the weakest link in the security chain in any organisation.
While comprehensive background checks of staff members can encourage trust and confidence across the team, this is not the only consideration. In order to protect against human error, every company must provide thorough security training that covers initial set up through to daily operations concerning customers’ data.
The tech factor – credit-checking your managed service provider (MSP)
Whilst comprehensive business planning goes a long way to solving the problem, even a small security fault can threaten your organisation’s confidentiality, integrity and availability (CIA). To ensure full protection, companies must implement security services that are designed to go beyond industry standards.
When it comes to security, placing your company’s data protection in the hands of a specialist MSP is a good idea. When choosing a MSP it is important to look for solutions that offer a network integrity layer, a content filtering layer and of course a data protection layer. This complex system of layering will help to make the path for potential data hackers as difficult as possible. In particular, data encryption will become increasingly important, as this service ensures that data stolen by cyber criminals becomes unreadable and therefore useless.
The community factor – why security should be embedded in your company culture
Operational security is achieved by instilling security as a culture within your organisation. Operations are the actions associated with policies and procedures, and strong access control measures, such as encryption and authentication, are paramount to counteracting security breaches. Email encryption of sensitive data and PIN number verification for account access are a key example of these measures.
For data breaches similar to the Yahoo hack, the future looks bleak. Under the new rules, Yahoo would have been fined at least €20 million. For multinational organisations – this financial hit may be sustainable, but smaller companies may not be able to absorb this level of financial damage and survive.
As such, it is imperative that businesses research and invest in appropriate methods of data protection to safeguard themselves – and their customers – from the damage of a cyber breach. Aligning with a Managed Service Provider means that a company can acquire the skills, knowledge and expertise to successfully meet the requirements of GDPR and keep security at the forefront of operations, as well provide an external support network in a crisis.
Jake Madders is director at Hyve.
Further reading on GDPR
