Business

Life’s a breach – so are you GDPR compliant yet?

Google has already been handed a £50m fine for using personal data, collected without consent, to create targeted advertising
Google has already been handed a £50m fine for using personal data, collected without consent, to create targeted advertising Google has already been handed a £50m fine for using personal data, collected without consent, to create targeted advertising

THE introduction of new data protection rules in May last year put many local businesses into a spin as they grappled to understand how the new rules would affect their business. A year on, many are still struggling and don’t have robust systems in place.

A year on since the new GDPR rules were introduced to provide individuals with more control over their own data by compelling organisations to properly collect, store, process and use data carefully, few businesses can say they are truly confident that they are fully compliant.

There’s no doubt that GDPR compliance is a minefield and many of us are still waiting for the authorities to see if they sanction local companies for data breaches or non-compliance. Though that hasn’t happened in any public way yet, they’ve gone for the big tech giants first – Google has already been handed a £50m fine for using personal data collected, without consent, to create targeted advertising.

The threat of cyber attacks remains and some sectors are on high alert because of the wealth of confidential information they hold. Credit card details, dates of birth, your mother’s maiden name – all gold for the modern tech criminal.

So what can businesses do here to help strengthen their protection?

Firstly, it’s important to remember that the GDPR rules require organisations to demonstrate compliance, which means firms need to adopt a risk-based approach to data protection and ensure everything is in place – including fostering a culture of data privacy and security – to keep within the law.

Secondly, carry out a comprehensive risk assessment. Identify, analyse and evaluate risks and determine ways, policies and procedures to control them. Ensure your data protection policies and privacy notices are in line with GDPR and review staff, customer and supplier contracts to ensure you’re covered here.

Secure personal data through procedural and technical measures. For example, encrypting files and staff laptops for extra reassurance.

Make sure you have procedures in place to detect, report and investigate personal data breaches with staff or external providers who are trained, alert and competent to handle the task.

At a very basic level, for companies who have already embraced cloud technology and are enjoying the flexible benefits, cost savings and room to grow, you can easily adjust security controls and policies for enhanced compliance.

For example, cloud users should expect their solutions to be ISO 27001, a certification to the international information security standard, and ISO 27018, which provides specific cover, controls and guidelines for companies to protect personal data in public clouds, compliant.

If you’re processing payment card data in any way, you should also be using solutions that are PCI DSS compliant. This extra protection can be easily incorporated to protect you and your customer’s data, reassuring them and you that you’re right up to date.

Typically, your cloud service provider will qualify as a ‘processor’ when you use their services, so they will be acutely aware of the risks involved for you – and them. Check and make sure the security measures you have are sufficient. If not, there are plenty of quick and easy ways to remedy this. Above all, keep calm and keep preparing.

:: Eric Carson is director of Rainbow Communications and can be contacted via www.rainbowcomms. com. Rainbow Communications can also be followed on Twitter: @Rainbow_Comms