At Lucid Networks Ltd we have had a busy few months preparing for the new GDPR (General Data protection regulation), and as part of that we have run several seminars, with Kuits solicitors, to advise companies on how to become GDPR compliant.
Our most recent meeting was hosted by Manchester Science Park, in the fantastic new Bright building, and we were delighted to have over 60 delegates in attendance.
So what did you miss?
The GDPR updates & extends existing data protection laws.
Penalties have increased to 5% worldwide turnover.
Individuals can complain about businesses if they feel that their data is not being used as they had agreed to.
Introduction of new protected categories of information
Informed consent is required
Subject access requests are now free and information has to be given in 30 days.
What are next steps:
Appoint responsible people who will report to your board. Build a GDPR team - this is a complex area and you can’t do it on your own.
Audit your data – what do you hold & where is it
Delete unnecessary data.
Create an action plan – what should you prioritise?
Update policies & procedures – and train staff. “It’s not a revolution, it’s an evolution” said James Wall Partner, Commercial & IP Partner at Kuits.
Update Privacy notices – what are the direct obligations on data controllers & data processes. Do you know how your 3rd party suppliers are handling personal data. Are they compliant?
Update processes for collecting consent. This seems to be the biggest concern for businesses. Particularly for marketing communications. The GDPR is increasing the threshold to get informed consent. We advise you contact your customers now to get proper refreshed, infomred consent.
Review security & technology measures (more on this later)
Record, record, record. Demonstrate you have thought about every aspect of the GDPR.
How can technology support you?
Why is it so important to protect personal data?
With the increase in cyber crime, particularly in the form of spear phishing or ransomware, data could be used to obtain passports or credit cards to commit fraud or identity theft.
So not only does the new GDPR protect your customers personal data, but it can also significantly prevent your company from being at risk of a cyber attack. Using technology to help you with this, shifts the burden away from the user, and increases your confidence that it works.
As James Balderstone, Managing Director at Lucid Networks Ltd said “Good cyber security hygiene across your organisation reduces your risk of a data breach”
So how can you secure and safeguard data?
We recommend that becoming cyber essentials certified is a good first step to becoming GDPR compliant. Cyber essentials is a government backed standard that can demonstrate a good level of security practise and defend against 88% of known cyber attacks. It is accessible & low cost, and if your company was to have a data breach it would demonstrate to the ICO you were doing the right things.
To put this into context in Oct 2013, The Target retail group had a breach where 110 million identities were breached. They had given remote access to their network to a heating engineer company. Attackers broke into this network and got into their systems. Step 1 of cyber essentials (Firewalls & internet gateways) would have defended against that
Data storage & retrieval
How as a company do you store emails and for how long?
Do you know what data exists within your emails?
What technology could you use to help manage this?
Office 365, for example, allows you to set up policies to archive a person’s deleted items every 7 days.
Where do your suppliers/vendors store their data. In the UK? In the states? A lot of suppliers are now holding data in the UK, for example AWS has an option to have data stored in the UK. Have you checked your suppliers policies & procedures.
Are you using all the available features within current systems such a two factor authentication. Features are there to give you an extra level of protection, and we would advise you check these and make the most of them.
At Lucid Networks we can help companies become GDPR fundamentals certified. Our consultant can go into your organisation and provide a gap analysis of where you are currently at with GDPR compliance, offer a range of suggested business actions, and then get you certified. This is a great way to demonstrate you are doing the right things compliance wise.
So with just over 3 months to go before the GDPR comes into force, it’s not too late to ensure your company is compliant. As James Balderstone said “Don’t try to eat the elephant”. Take it one piece at a time; review & repeat regularly.
If you want more information on any of the topics raised above, or to help get your company GDPR compliant, then please contact us at email@example.com or call 08008620095