With less than 18 months to go until it becomes law, preparing your organisation for the GDPR should be high on the agenda.
Superseding the Data Protection Act 1998 (DPA), the General Data Protection Regulation (GDPR) is a new European directive designed improve the way that organisations across the EU collect, handle, process and store personal data such as HR records and customer contact information.
Technological advancements and increased globalisation over the last 20 years have resulted in new data protection challenges. The GDPR is a modernisation of the law to give consumers and citizens greater rights to be informed about how their personal data is collected and used.
An important issue for data protection
Among the changes the GDPR gives rise to is an expansion of the requirements for storing personal information, enhanced information governance and more stringent sanctions for organisations that suffer a data breach.
Currently, the maximum penalty an organisation can receive for failing to adequately protect customer information is £500,000. Under GDPR, an organisation that suffers a data breach could be fined up to 4% of global turnover or €20 million (£16.9m) – whichever sum is larger.
The wide-ranging requirements of GDPR, coupled with the UK’s government’s commitment to apply the regulation post-Brexit, means that the GDPR is a pressing issue that must be taken seriously, right up to board level.
The GDPR applies to all organisations that process personal data, ‘controllers’, as well as third parties that process and store information on a client’s behalf, ‘processors’. The definition of personal data is similar to that outlined in the DPA albeit it has now been expanded to include online identifiers such IP addresses.
Article 5 of the GDPR outlines the main responsibilities all controllers should adhere to. Six key principles specify how personal data should be processed, collected and retained.
Protecting personal data from hackers
GDPR’s sixth principle highlights the importance of having appropriate cyber security measures in place to ensure that personal information is processed in a manner that provides protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
According to the regulation, steps to enforce network and information security could include preventing unauthorised access to electronic communications networks and malicious code distribution plus stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Another key security aspect of the GDPR is ensuring that appropriate procedures are in place to detect and investigate personal data breaches as well as report them to a relevant authority within 72 hours. In high-risk cases, it might also be necessary to notify affected individuals.
Steps to take to improve your organisation’s cyber security
To support the wide-ranging technical and organisational requirements of GDPR, Redscan’s comprehensive range of managed cyber security services can help your organisations to improve its information security governance by:
- Identifying and assessing security risks
- Proactively detecting, investigating and reporting threats 24/7
- Driving improvements to security policies and procedures
- Aiding certification with schemes such as Cyber Essentials
Whatever your organisation’s GDPR compliance needs, Redscan’s qualified security experts are on hand to provide clear information and advice ahead of the fast-approaching May 2018 deadline.