GDPR Explained – How to Prepare Your Business for Compliance
In the first part of our GDPR guide, we covered what GDPR actually is, and why it’s being implemented. If you haven’t yet read it, we recommend that you do before continuing with this article.
As we highlighted in part one, GDPR (General Data Protection Regulation) will enforced from May 2018, meaning that the time left to prepare for assessment is getting shorter and shorter. Businesses will need to ensure that they’re able to comply with GDPR, or otherwise risk facing a maximum fine of up to £17 million (or 4% of their international revenue).
Even if a business is not prepared and manages to go unnoticed, they may still receive a request by a customer that they are unable to fulfil (such as data deletion). Starting early, and taking the correct steps towards being GDPR-ready, could mean the difference between business continuity or business disaster.
A survey by Spiceworks in June found that almost half of the UK’s businesses are preparing for GDPR. Hopefully, your business has already begun to plan towards becoming GDPR compliant. If not, then don’t worry as there is still time, and Redsquid are here to provide some valuable advice.
Security is the most crucial aspect of your compliancy plan. The precautions your business takes when storing and using your customers’ data, will likely need to be improved to comply with GDPR. Any network breaches will not only cost you in damages and recovery, but it could also lead to the previously mentioned fine, which is why data security should be treated as a huge priority at your business.
If you don’t already encrypt your customer data (especially any data stored off-site), then implementing this security measure is essential, as it will help provide a baseline protection. In addition to this, providing a way to verify user identities (whether a user is trusted), and establishing multi-factor authentication (when accounts are authorised through more than one method, i.e. an email address and a mobile number), will help improve security.
Understanding Data Flow and Auditing
Perhaps the most time-consuming step; GDPR requires every business to be able to link every piece of data with a source, a purpose, and a place of storage. For example, if you receive an email address from a customer; you must have gained consent, labelled who the owner is, and store it somewhere secure.
This will require your business to perform an assessment and audit of your data flow. Before you even begin to approach the monumental task of sorting through your data, ensure that your business has a detailed understanding of how your data is currently being processed.
If there is any way to make processing data any more efficient, then implementing this before auditing could help save your business a lot of precious time.
Educating and Training
GDPR doesn’t exist as a way for the EU to simply punish businesses, but to encourage a greater sense of responsibility and care for personal data. This sense of responsibility is something you’ll want to instil in every member of your business; as it will give them something more to strive for than simply avoiding punishment.
Training your staff to properly process data and maintain security, is essential to the success of your GDPR compliance. Start from the top down, and ensure that everyone is aware of the correct way to treat customer data. Additionally, educating your customers on how their data is being protected can help to develop a greater sense of trust towards your business.
Having the technology capable of safely and efficiently processing data, is a necessary element of your GDPR compliancy plan. Too many businesses have been compromised, and have had their customer data stolen, because their outdated IT infrastructure has allowed cybercriminals into their networks (we saw this with the WannaCry attack earlier this year).
Keeping your desktops, laptops, printers, mobiles, and other devices updated and protected by security measures (such as our Mobile Device Management services), will better equip you to comply to GDPR, and avoid a potential breach.
Risk Assessment and Breach Preparation
Regardless of how much data security your business has, you should always be prepared for the worst.
Running risk assessments across your business, can help you to identify potential weaknesses and plan for what might happen if these are exploited. If your business does suffer a breach, then minimising the severity of the breach and responding quickly can help to lower any penalties you might receive.
There’s still plenty to learn about GDPR, so we highly recommend that you do as much research as possible; there are plenty of free resources to find out there, including our own series.
If you’d like to know more about cyber security, feel free to speak to one of our IT specialists now on 020 8166 4540. Meanwhile, enjoy reading some of our other articles on cyber security.