The new General Data Protection Regulations (GDPR) that come into force on May 25th 2018 are just one month away – will you be ready?
The process of getting compliant with GDPR has meant substantial changes for many businesses, no matter what their size or service offering. More importantly, there are still a considerable number of businesses that have a lot of changes and adjustments still to make, which could cause strain on business resources, unless they’re handled efficiently and without further delay.
With all the debate and conjecture surrounding GDPR compliance, getting your operations and processes in order, to meet the new regulations, can seem quite an onerous task. You should look at it methodically and understand what is required before you implement changes.
The fundamentals of compliance
Ensuring that your business is compliant with the new GDPR regulations can seem a complex process, and for some businesses this could significantly change their key business activities.
Let’s get to the basics starting with people and polices. Firstly, you will need a data protection policy in place that all team members will adhere to. Secondly, it’s important to appoint someone (internally or outsourced) as your Data Protection Officer (DPO) or Privacy Officer, who will manage data protection and enforce your policy throughout your organisation. Thirdly, you will need to educate your team, make sure they create and set complex passwords immediately, and then test their cyber security IQ to ensure they will not fall victim to a cyber attack attempt. Your team are your first line of defence and they are key in the safety of your business and its data.
Now let’s delve a little deeper into systems and processes. The new regulations are concerned with how Personally Identifiable Information (PII) is collected and stored within your organisation, so you need to start at the root by identifying how much personal data you have and where it is located. You should use this as a cleansing exercise and delete copies and instances of data that you no longer need. Once you have located your data – whether it be in the cloud, on files and folders on laptops or in emails, or on pen drives – you need to make sure you encrypt all PII both at rest and in transit. After encryption you then need to manage the data and implement Data Loss Prevention (DLP) techniques and stipulate access rights – this will restrict sharing and viewing of PII and sensitive data.
It takes time to get everything in place, but we strongly recommend you implement the Government’s Cyber Essentials cyber security fundamentals as a bare minimum by the 25th May (see the link below in ‘Useful references’).
Finally let’s look at marketing and communication. We collect PII across several areas of our businesses, from web forms, telephone enquiries and networking, etc. If you decide to market your products and services to any of your contacts in your database, you must ensure they have double opted-in first, which means that they have given you their consent to contact them for marketing purposes (each must be time and date stamped). For some businesses it will mean building new databases from scratch, but it is a positive step towards creating a quality database of people who genuinely want to hear what you’ve got to say, so should lead to more successful marketing campaigns.
Five key factors in GDPR implementation
No two companies are alike, and each one will have different adaptions to make to their current processes in order to become GDPR compliant – but essentially, they run along the same vein.
Here’s a rundown of our top five factors to consider implementing sooner rather than later…
1. Ideally appoint a DPO or Privacy Officer to manage compliance.
2. Partner with a cyber security professional who will work with your DPO (of course we would say that!) but seriously, it’s important you seek help from an expert who ideally has CISSP (Certified Information Systems Security Professional) accreditation.
3. Audit your systems, define your processes and polices, and then implement them across your organisation.
4. Implement Cyber Essentials first followed by a proactive managed security service.
5. Cleanse your data and make sure the members of your database have double opted-in before you contact them for marketing purposes.
There may seem like there’s a lot to do, and the fines the ICO can serve for a data breach sound a little frightening, but remember you’re not alone and don’t have to do it alone. Partner with a professional.
A little bit about us
You may know we are a Managed Security Service Provider (MSSP) but something you may not know is that we are now ISO 9001 and ISO 27001 accredited. Also, our Head of Operations and Cyber Security has achieved the CISSP accreditation, *which is a hallmark of quality security solution provision and is the most globally recognised standard of achievement in the industry.
As security is paramount we have developed three security packages to help build your defences and protect your business and all that matters. If you’d like to know more, or if you would like to discuss your GDPR strategy further, please call our team on: 01282 500770 or email Laura at: firstname.lastname@example.org and we’ll be in touch as soon as possible.
Leading up to the 25th May, our MD Justin Sherwood will be delivering further workshops around GDPR and Cyber Security, so if you’d like to attend one of our events please check our Workshops page for the details.
Cyber Essentials Advice – https://www.cyberessentials.ncsc.gov.uk/advice/
ICO: Preparing for the GDPR in 12 steps – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf