How Best To Comply With GDPR: Top Tips & Expert Advice
The new General Data Protection Regulation (GDPR), which came into full effect on May 25th, makes up part of the UK’s data protection regime, alongside the Data Protection Act 2018.
It applies to personal data – any information that relates to any person who can be identified either directly or indirectly. This provides for a range of personal identifiers, including name, location data, online identifiers and ID numbers, in a bid to reflect the way that technology has evolved and will continue to do so, as well as the way that organisations collect data about people.
The regulations apply to both manual filing systems where data is accessible, as well as automated personal data. In total, seven key principles have been set out by the GDPR – lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. It’s essential that you put these principles at the heart of how you process personal information.
Accountability means that you’re responsible yourself for complying with the GDPR and you need to be able to demonstrate this compliance, implementing appropriate organisational and technical measures so as to meet the requirements of this particular principle.
This can be achieved by implementing data protection policies, bringing in written contracts with companies processing data on your behalf, recording and reporting personal data breaches, appointing a data protection officer, adhering to relevant codes of conduct, bringing in appropriate security measures, and so on.
One of the easiest ways of ensuring compliance is perhaps by hiring someone whose sole responsibility it is to prioritise this. Interestingly, many companies have already gone down this route, with new figures from Morgan McKinley showing that although jobs in the financial services industry have fallen by six per cent month on month, the new regulations sparked a hiring spree that is expected to have an impact on the months ahead.
Managing director Hakan Enver said: “Apart from a break to watch the royal wedding, the month of May was all about GDPR compliance. Hiring in technology, compliance and legal departments was astronomical.”
Any company, no matter the size or the industry they’re in, can suffer a data breach and now that hefty fines can be handed out (up to €20 million or four per cent of your global turnover, whichever is highest), it’s vital that you do ensure compliance wherever and whenever you can.
Even the European Commission, which is responsible for this new GDPR law, can fall foul of its own rules! According to iNews, the organisation revealed that personal information of hundreds of people had been leaked on its own website, with over 700 records released including names, addresses and professions. Not only that but the postcodes and addresses of some British citizens can be located by searching the official EU website.
But the Commission has insisted that it isn’t subject to the new law, even though if any other company out there had leaked these personal details it would be considered a breach of the GDPR.
Discussing the matter, data protection expert at law firm Mishcon de Reya Jon Baines noted the irony of the situation, saying that this breach raises “questions about the general level of compliance and whether any further inadvertent disclosures have been made”.
Recent data breach case studies
Looking at where other companies have failed with regards to data breaches in the past is wise, as it can inspire you to take a look at your own processes and procedures to see where improvements can be made. Here are a few case studies showing you just where you could go wrong if you’re not careful.
This was one of the biggest cyberattacks to take place last year, with 143 million people compromised by the data breach. If GDPR had been in place, the company would have had to pay a very serious fine because its revenue for 2016 peaked at $3.1 billion.
University of Greenwich
The Information Commissioner (ICO) fined the University of Greenwich £120,000 after a data breach affected almost 20,000 people. This came just days before the GDPR came into effect, with the university the first to have been fined by the ICO under the Data Protection Act 1998.
It was found that the establishment failed to have in place proper technical and organisational measures to ensure that a security breach wouldn’t take place, such as by ensuring that its systems couldn’t be accessed by hackers.
The British and Foreign Bible Society
The organisation’s computer network came under a cyber attack in 2016, with hackers accessing the personal data of 417,000 of its supporters. As a result, the society was fined £100,000 by the ICO because, even though it had been the victim of a criminal act, it hadn’t implemented appropriate organisational or technical steps to protect personal data.
Jaguar Land Rover
Personal data was circulated among the company’s workforce, with information including disciplinary records, payroll numbers, names and the number of sick days taken by employees. The ICO is now looking into the situation, according to HuffPost UK.
How best to comply with GDPR
Last month (May), critical information systems company Thales revealed that the UK was in fact the most breached country in Europe in 2017, with 37 per cent of businesses across the country suffering a breach. Despite this, just 31 per cent of organisations in the UK said they felt either very or extremely vulnerable to data threats, with 69 per cent saying they feel somewhat or not at all vulnerable.
Further research, this time from NTT Security, shows rather worryingly that some companies would choose to pay ransom demands from hackers rather than investing in the appropriate information security, Computer Weekly reports. It’s essential that you are proactive with regards to data protection now that GDPR has come in – so now’s the time to review your processes and procedures and make any necessary improvements as required. Here are four steps to take that could prove particularly useful.
You need to access all sources of data and carry out an investigation and audit of what is being stored where and how it’s being sued. To create an inventory of personal data, you need to be able to access all sources easily – and doing this will mean you can assess your risk of privacy exposure. To comply with GDPR, you need to be able to demonstrate that you know where this data is and also where it isn’t.
Once you know where all your data is being stored, you need to find out what personal information can be found in each source. Consider data quality rules, pattern recognition and standardisation, using tech tools to help you get this right.
Make sure that you document and share your company’s privacy rules across the board so that certain data can only be accessed by those with the appropriate rights, based on what this information is.
Confidential waste destruction
This is an essential part of ensuring GDPR compliance and one you certainly shouldn’t neglect. Shredding can protect you, your business, your brand, your assets and your clients – and it’s not just paper that can be destroyed. You’re also responsible for your own disposal and recycling of electrical and electronic equipment, but we here at Avena can help destroy data on hard disks, CDs and DVDs, as well as PCs and laptops, servers, network routers, printers and so on.
What about blockchain?
As you’ve worked over the last few weeks and months to get your business ready for GDPR, chances are you’ll have come across the term ‘blockchain’. This could actually be one of the best tools to have in your arsenal in the fight to remain GDPR compliant. But what exactly is it and how could it be of use?
Blockchain technology, invented back in 2008, was originally used to power Bitcoin when it was first introduced. Basically, it’s a mathematical way of storing data that’s practically impossible to fake, so it’s perfect for storing all manner of valuable personal information.
It’s ideal for use with GDPR because it means that you won’t have to keep your customer information in data silos, which are easy to target if people are that way inclined. Smaller businesses may well find it particularly useful because they may lack the resources to bring in changes required by the new regulations.
Bigger firms will find it easy to change their infrastructure, update policies and employ new people to ensure compliance, but smaller ones may not have the skills or funds available to protect data properly.
Applying this technology to identity management will change how your data is collected, stored and distributed. Such systems will make use of public and private key signatures, data hashing and encryption to verify data using blockchain. It serves as a public ledger so that third parties can check that the data hasn’t been changed or misrepresented, but no personal data relating to the user in question is stored.
There’s also less of a need to collect personally identifiable information on staff members, customers and anyone else associated with your company so your cyber security team will no longer have to monitor huge databases… which could give your productivity a boost as well.
There’s also a provision in the GDPR that covers privacy by design, creating products and so on with the aim being to keep data private. Blockchain technology ensures that privacy is put back into the hands of the user, rather than the company making use of this information. Privacy by design is a legal requirement under GDPR and you’d be wise to carry out data protection impact assessments where new tech is being deployed for large-scale processing of sensitive data.
Research released on May 25th by the Federation of Small Businesses (FSB) found that many small firms may still have been unprepared for the regulations even as they were brought in… despite having a substantial amount of time to get ready for the changes.
Earlier in the year, some 68 per cent of smaller enterprises had either not started their preparations or were only in the initial stages of it… with just eight per cent having completed preparations at that time.
Mike Cherry, FSB national chairman, said: “GDPR is here and the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant. It is concerning that the burden and scale of the reforms have proven too much to handle for some of these businesses and there is now a real need for support among the small business community.
“It is imperative that the ICO initially deals with non-compliance in a light touch manner as opposed to slapping small firms with fines. Small businesses must see the ICO as a safe space where they can go for advice and help in making the changes necessary to be compliant.”
Speaking to BBC Radio 4’s Today programme, the information commissioner Elizabeth Dunham did offer some reassurances to smaller companies, saying that they would not be expecting perfection from the outset.
She explained that the ICO is looking for a “commitment to move forward with their new obligations” and it would be “nonsense” to think that the commissioner would be making examples of smaller businesses by hitting them with big fines. Instead, the focus is going to be more on those companies that are “deliberately, persistently or negligently” misusing data.
While this may well be music to your ears as a smaller company, you shouldn’t rest on your laurels where the GDPR is concerned. Implementing measures such as the ones mentioned above could certainly help put your mind at ease – after all, no one wants to spend business day after business day worrying about what will happen to the company if a breach does take place.
But as long as you do all you can to remain compliant, you shouldn’t have to stress too much about facing heavy fines later down the line.