Why GDPR is important
GDPR gives the control of personal data back to the person it belongs to. This in turn, ensures a safeguard for peoples’ privacy as a basic human right. It is important for companies to be aware of and adhere to as there are tough financial penalties for non-compliance.
When GDPR came into effect, it quickly caught out over 200,000 businesses in its first twelve months. Data breach complaints rose by 160% and fines totaled 56 million euros – 50 million of which was Google‘s alone!
Failure to comply with GDPR can cost a business 4% of its annual turnover or 20 million euros. (whichever is the higher amount). So, this article will list the best practices for staying compliant, handling data securely, and avoiding any large fines.
What are my GDPR responsibilities?
Article 32 (1.D) – of the GDPR mandates that businesses take technical steps to safeguard data protection. Despite the fact that the article provides examples of security measures, it does not provide a complete list. In light of the continually evolving information security threat landscape, businesses must evaluate, implement, and maintain appropriate security measures.
What is sensitive information under GDPR?
GDPR is the European law that governs what companies and organisations can do with your personal data. Personal Data is any piece of information that either on its own or with another piece of information is able to identify an individual. It was introduced because the previous data protection legislation was created back in the 90’s. This was before any of us had smartphones capable of harvesting huge quantities of personal data about us. This meant that companies like Facebook and Google were able to profit from its use, mostly through targeted marketing. Storage of sensitive information also needs to be justified. So, if a good reason for having it cannot be provided, it could mean facing significant financial penalties.
How to store sensitive information
To avoid a fine, make sure that any personal data you process is readily available if someone asks for it. Whether that be an individual, business, or an auditor, there must be a response within one month. It also must be delivered accurately, in full, and free of charge. Remember to create a process for doing this, and a process for deleting data should the request be made.
Secondly, it is a good idea to regularly delete any sensitive information that has already served its purpose. Also, make sure that you don’t have personal data unnecessarily without its owner’s consent.
GDPR requires that you store data securely and protect it against unauthorised access, so ensuring data is physically secure and under lock and key is crucial. Also, all hard copies you keep need to be in a fireproof safe that is only accessible to authorised personnel.
Data also needs to be safe from remote access, so antivirus software and firewalls should be updated on all devices. You need to take measures to stop malicious hackers from gaining access and compromising business critical systems.
GDPR policy recommendations
Next, create a risk assessment and record of security measures that you can roll out to your staff. You can then use this to demonstrate the business’ best practices for data protection should an auditor come to visit.
It is important to create a clear and fair processing policy or privacy policy which explains to people what data you collect, why you have it, how you process it, and whom you share it with. This must be comprehensive, contain no confusing jargon and be concise, and will also show transparency and demonstrate sound business practice.
GDPR states that consent to use data for marketing is now ‘opt-in’ and not ‘opt-out’. This means that consumers now must take action to tick the box that gives permission to use their data. We recommend a clear and positive opt-in policy that you keep as evidence with other stored data. If someone opts out again, a thorough process to ensure they do not receive anything else from you is advisable. Failing to do this is a good way to fall foul of complaints and end up with fines.
Who is responsible for GDPR compliance?
Appointing a Data Protection Officer (DPO) is advisable: someone who is responsible for implementing the procedures and policies we have mentioned. Initially, it may be a good idea for senior management to take on the role and then delegate these responsibilities once you have a thorough and complete understanding of GDPR Compliance.
Every organisation is responsible for implementing an incident management system, part of which will involve the DPO being responsible for reporting an incident to the governing body for data protection in that country. In the UK, that is the Information Commissioner’s Office (ICO), and you must disclose this within 72 hours of discovering a breach.
Sencode Cyber Security offer GDPR Penetration Testing services to help you ensure your business and data processing meets the requirements of GDPR.
Frequently Asked Questions
GDPR stands for the General Data Protection Regulation.
GDPR came into effect on the 25th of May 2018.
GDPR is the European law that governs what companies and organisations can do with your personal data, and personal data is defined as any piece of information that can either be used on its own or with another piece of information to identify an individual.
GDPR states that personal information is the property of the person that it identifies and ultimately, they are in control of how that information is used. Companies that require personal data of their customers are responsible for the safe storage and processing of that data. GDPR requires that companies are more transparent with people’s personal data, and it gives control of that data back to the individual that it belongs to. Failure to comply with GDPR can cost a business 4% of its annual turnover or 20 million euros (whichever is the higher amount).
GDPR is a European law and applies to anywhere in the world dealing with data pertaining to European citizens but is widely adopted around the world as the standard for data protection.