The General Data Protection Regulation (GDPR) represents an important and necessary step towards protecting users’ privacy and providing more transparency.
However, for many businesses, the buzz around GDPR has made it appear to be an unnecessarily complex administrative task that, by law, they must address. A recent survey bears this out and found that less than a third of companies felt they were ready for the 25 May deadline.
GDPR itself is a far-reaching piece of legislation designed to regulate how businesses handle European data subjects’ private data. The regulation is intended to give people more control over what companies do with their personal data, which includes things such as birth dates, addresses and names. It also apportions responsibility for breaches, holding any entity processing that data responsible for its protection.
While large companies have the resources to appoint hire lawyers to figure out exactly what the new regulation means for them, it’s not necessarily the case for small businesses.
One stipulation that causes a headache for many companies is how to ensure they meet their customers’ right to be forgotten. Under the new legislation, in certain circumstances, customers can ask organisations to delete personal data they may hold on that particular customer.
However, most businesses run regular data backups, and these consist of huge data sets. Thus, figuring out how to deal with this can pose a real technical challenge.
Key steps towards compliance
Being GDPR-compliant requires understanding the data you hold, your policies and processes for managing that data and training employees to ensure they understand and are able to comply with these regulations.
Mapping out how data moves through the company and where it is stored – whether it’s in emails, CRM systems, cloud applications or on a back-up appliance – is a good starting point. With a full and thorough understanding of your data landscape, it will be a lot easier for you to identify any gaps that need addressing.
Once you understand your procedures, you should review and update your security policies. IT solutions can play an important role in GDPR compliance and adequate data protection. There is no one-size-fits-all solution, but at the very least, businesses must ensure they carry out regular security health checks of their entire IT environment.
Health checks should include reviewing whether firewalls are correctly configured, ensuring all devices have had up-to-date patches applied and are running the latest software versions, and whether encryption is enabled.
When it comes to defending against cyber attacks and data breaches, human error is often an issue. This is why educating your employees is so important. Technology can also be used to enforce consistent security policies across the organisation – such as blocking unencrypted devices or only allowing access to those files and applications that the employee actually needs.
Businesses also have to ensure the ongoing confidentiality, integrity and availability of processing systems and services, as well as having the critical ability to access personal data in a timely manner in the event of a physical or technical incident.
A key consideration is how long data should be retained and how it can be managed and deleted. Back-up solutions should provide options for customising data retention schedules to meet an organisation’s business needs, as well as the ability to delete back-ups from the system.
With more data being processed and stored, cyber threats continuing to grow and with regulations such as GDPR being implemented, managing data is becoming increasingly complex for small businesses. However, the good news is that many managed service providers (MSPs) have added GDPR consulting to their portfolio, partnered with legal firms and independent GDPR experts and are now in a strong position to support their customers – giving peace of mind to the small businesses that rely on them as their trusted advisers.
Non-compliance with the new regulation can not only cause reputational damage to a company but also result in substantial fines.
In the coming months, case law and experience will shine a stronger light on exactly what the regulation means in reality. But one thing is clear enough: No business can afford to bury its head in the sand – and if you need help with getting your data processing in order, you should get it now.
Campbell Hutcheson is chief compliance officer at IT solutions specialist, Datto