The General Data Protection Regulation (GDPR), came into force on 25th May 2018. Are you compliant?
You may be one of the handful of businesses who have taken all necessary steps to be fully compliant; but for business owners who put their GDPR compliance on hold since May, the warnings could not be clearer: If you aren’t GDPR compliant you’re likely to be in some serious trouble in the next few months.
If you aren’t ready here’s what you need to know about your IT systems:
Data breaches: You need to demonstrate that you have the correct procedures in place to help prevent, detect, report and investigate a personal data breach. Your data security procedures must include regular testing of these security measures. GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals, preferably within 24hours, but within a maximum of 72 hours.
Security Audit: You need to have a documented review of your IT security systems to demonstrate that you have industry recognised anti-virus and Firewalls implemented on ALL of computers, laptops, tablets and phones that access company information, that your emails are encrypted, your data is encrypted and each and every computer is encrypted.
Stored Information: You need to demonstrate that you have documented what personal data you hold, where it came from, where it is stored, whether you have consent to have this information, and who you share it with. You also need to have proven procedures in place for deleting personal information and that this information is stored securely (see Data Breaches above) and a record of who can access this information.
Data Protection Officer: Your business must designate an individual to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Company Knowledge: All of your employees need to be aware of the GDPR rules and you need to carry out regular staff security training sessions. All members of staff need to be fully aware of all things relating to data collection, storage and security.
If you have implemented everything above, then you are complying with GDPR in terms of your IT systems. If you fail to have the necessary security procedures implemented, you could be on the receiving end of the new harsher penalties. Pre GDPR, the ICO could fine up to £500,000 but now GDPR will allow fines of up to €20 million or four per cent of annual turnover, whichever is higher.
There will be no excuses – the Government believes it has given business plenty of warning over this.
The following are required as a benchmark for businesses to follow and is good practice for all IT in any business.
GDPR IT Requirements
Protected with Anti-Virus Software
Protected with Anti Malware Software
Protected with Anti Ransomware Software
Protected with UAC - User Access Control, with no known Administrator Passwords
Data Encrypted: Machine Encryption Preferable
Data Controller Appointed
Backups – Monitored & Tested
File Access Controlled with Permissions Set
Data Loss Policy
Data Controlled and Consent Given / Recorded
Staff Data Controlled and Consent Given / Recorded
Supplier Data Controlled and Consent Given / Recorded
Data Retention Policy – Checked and Administered
It won’t be long before we see more companies held to account in legal terms for not being able to demonstrate due diligence in their security and data procedures. GDPR applies to every business, no matter how large or small. Every business holds customer data.
If you are not secure and your systems are breached, you risk being made liable. And with this also comes the responsibility of everyone within your company to report any security breaches, or any suspected data security breaches, as soon as they occur.
If you would like us to conduct a review for your business, offer advice, or implement procedures then please don’t hesitate to contact us.
We can help you get your IT systems inline and to meet the guidelines of GDPR.