On one hand, if your organisation and its data still interacts with the EU post Brexit, there is still a need to ensure your data is being held in accordance with the GDPR, whilst on the other, the UK will most probably amend its own data protection legislation prior to 2018 to bring it into line with the GDPR. Either way, your organisation, be it public or private, needs to ensure that your approach to data protection and cyber security is taken seriously and that there is buy in from the top.
To some, the need to change their approach to data protection brought about by the GDPR could be seen as additional workload for already over-stretched resources, whereas in effect, GDPR, if embraced correctly, could bring with it a much more modern and robust approach to information security. Yes, the regulation will require a more strenuous data protection regime coupled with much more punitive penalties for non compliance (fines of up to 4% of global turnover or €20million, whichever is the greater).
The upside for some organisations, however, could be that the GDPR is actually a catalyst to bring about changes to how they do things in the future.
A lot of organisations need to look at their data in the round. Systems may have grown and evolved over years as one system gets bolted onto another. This leaves the very real prospect of many organisations not actually knowing what data they hold never mind knowing how much of it they actually have. This is a frightening prospect when it comes to cyber security because if an organisation doesn’t know the level of data it actually holds then how can it expect to keep it safe? In this regard, the GDPR should be seen as a necessary evil and an opportunity to have a root and branch review of an organisation’s approach to their systems, data and security.
A wait and see approach is not recommenced and clear action should be taken now to ensure compliance is achieved within the timescales.
A good place to start would be to map data flows as part of a privacy impact assessment – i.e. how information is collected, stored, used, shared and deleted or archived and what would be the most likely reasons for a data breach?
The most common reasons for a data breach could include:
- Human error
- Failure to encrypt
- Lack of or poor data retention policies
- Poor data access policies
- Lack of staff training
- Misdirected communications (fax, email, post, hand delivery)
- Dependence on paper records
- Accidental loss/theft
- Breaching direct marketing rules
- Bad asset control (decommissioning of hardware)
- Dependence on non-connected data islands
- Poor security policies
All of these potential breaches could have a serious knock-on effect on your information security and leave your organisation vulnerable to a cyber security attack. The good news however is that these risk factors can be overcome by a systemised approach which addresses better compliance, more effective business processes and robust information security at their core.