There has been much talk of General Data Protection Regulation (GDPR) over the last few months, although the reality is that we’ve known it’s been coming since April 2016.
The new regulation (coming in to force on 25th May 2018) is perhaps the biggest change in data privacy legislation in twenty years. Any organisation found to be in breach of the legislation could face fines of up to 4% of their global annual turnover, or €20 million.
Although this is European Union regulation, it’s thought that any Brexit deal won’t affect a UK company’s need to comply (you’ll still need to), yet it is somewhat of a grey area; the UK has said that it will put governance in to place that will work alongside the EU legislation, but it won’t technically be EU regulated.
Does My Business Need to Comply?
Essentially, if you are supplying goods or services to citizens in Europe, then yes. If you’re a UK business that only supplies to the UK, then … we’re back to a relative unknown.
It’s thought that the legislation put in place post-Brexit will be near identical to the European legislation, and although you aren’t trading with any European company/individual, you may still need to apply the GDPR regulations, after all, it’s meant to unify the way that data is protected, and if nothing else, a stronger compliance schedule for your business will only help.
The regulations demand that you can show compliance, using a risk-based approach to data privacy and protection, and that policies are in place to show accountability, and transparency along with building a culture of security and privacy within the workplace.
Exceptions to the Rule
GDPR legislation does have some exceptions if it’s deemed that the appropriate security measures are in place; a breached organisation that has encrypted the data to the point of making it unintelligible to unauthorised people will not have to notify the affected owners, and the chances of a financial penalty are greatly reduced if the breached organisation can demonstrate that a secure breach has taken place.
To help provide evidence and accountability towards compliance with the GDPR legislation, organisations could employ one or more of the following encryption methods, both on-site and within their cloud infrastructure, although it’s unlikely that no single solution will make an organisation GDPR compliant.
Servers – including via file, application, database and full disk virtual machine encryption
Storage – including through network-attached storage, and storage area network encryption
Media – through disk encryption
Networks – e.g., through high-speed network encryption
The important thing to note is a single solution will not help you become GDPR compliant. Your organisation has a responsibility to ensure its people, process and technology are working together to ensure data is protected.
Whatever your method, time is fast running out to ensure full compliance, and with processes, policies and procedures to implement, the average time taken to achieve full compliance within a regular SME can be up to one year, meaning that if you haven’t yet started, you won’t be compliant when the regulation comes in to force.
This is more than a ‘box ticking’ exercise, you need to be able to demonstrate compliance and understanding through procedures and policies.
What can you do?
If you have concerns, you are not the only one. Why not give us a call if you need some help in what steps you need to take next. A Cyber Essentials Certification could be the first step forward for you.