Cyber Security & Dealing with GDPR: The Technology Side of the Problem
18 May 2018
Unless you have been living under a rock, you will have heard a lot in the news about the new General Data Protection Regulation (GDPR) and would no doubt have received various emails requesting your consent to opt in/opt out of newsletters. Many businesses have been working hard to put systems in place to comply with the new regulation.
Colony regulars One Creative recently hosted a 'Cyber Security & GDPR Readiness’ event for the Colony and Jactin House business community.
One Creative provided a general overview of GDPR for small businesses with Steve Atherton from Naimuri, a local Cyber Security & Technology firm highlighting some simple pragmatic ideas and take-aways around the ‘Technology side of the new General Data Protection Regulations (GDPR)’, ably supported by local Insurance Brokers Daulby Read, specialists in Commercial Insurance matters for SMEs.
What is GDPR?
The General Data Protection Regulation (GDPR), which is effective from the 25th May 2018 is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. Its primary aim is to give control back to EU citizens and residents over their personal data by placing greater obligations on how organisations handle their personal data. The new regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located within the EU.
How does GDPR affect small businesses, sole traders etc.?
There is a perception within the small business community that GDPR only effects the larger companies. However, this is not the case as GDPR affects all businesses from sole traders to global blue-chip companies regardless of BREXIT. Any business that controls or processes personal and sensitive data e.g. employee and/or customer data will need to comply. In layman's terms this could refer to how you manage subscriber information for your newsletter, how you collect client information on your website e.g. payment details or how you store hard copies of employee information.
Are you ready for GDPR? Do you have systems in place to protect your data from cyber threats?
In a recent survey conducted by the Federation of Small Businesses it was highlighted that the majority of small businesses were still not prepared for GDPR. It found that 33% of small firms had not yet started preparing for GDPR and a further 35% were only in the early stages of preparations. With the increase in cyber threats to businesses and not just the large corporations, it is really important for small businesses to get to grips with GDPR and implement the necessary changes to safeguard their data.
Given that the majority of businesses are now online or using related digital technologies such as mobile phones, laptops for handling personal data, it is crucial to remember that Technology and Security is a major part of the challenge.
Don't let ignorance result in you getting fined for accidental data breaches.
Failure to comply with GDPR could result in heavy fines (up to €20million or 4% of your global annual turnover, whichever is greater), serious damage to the reputation of your business or closure in the case of small businesses.
For example, Carphone Warehouse were fined £400K by the Information Commissioner's Office (ICO) for a data breach which was the result of a cyber-attack on one of their computer systems in 2015. The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. Under GDPR they could have been fined up to €59 million.
What steps can small businesses take to prepare for GDPR?
If you are still unsure about GDPR or are in the early stages of preparation, Naimuri who are passionate about making technology your ally rather than a threat has provided some useful information on how to Collect, Store & Use Data under GDPR:
8 Key Areas to Consider – Simple Tips & Ideas
1. Obtain Consent freely, explicitly and clearly, and make sure across your web sites that when collecting data from the person that this is stated clearly, unambiguously and explicitly. Very often Contact Forms can miss such statements or be misleading in how they are worded.
2. Ensure Your method of Data Collection is secure. As evidenced during the recent briefing event at the Colony when Naimuri ran its Digital Footprint passive scan, many businesses currently have un-secure connections to their web sites that are vulnerable and open to attack and potential loss of personal data. This means that the security of connections to the website may be compromised and should be investigated and remediated urgently.
3. Always Know Where You Data is stored and sent to, as ignorance will be no excuse with the ICO. As illustrated during the event when talking about a UK National Charity, as Data Controllers, SMEs must always take responsible steps to ensure that the personal data being collected is kept safe. Thinking it is only contained in your emails when in fact copies are also collected and stored on your other systems and web sites needs to be understood.
4. Know What & Where Your Data is stored. A useful way to help with this aspect is to establish and maintain for your business a Personal Data Asset & Sharing Register, as illustrated in the very basic example below. This is also a useful resource to assist when handling Subject Access Requests and dealing with any Breaches that may arise.
5. Take Steps to Secure Your Data. Very often devices are left unencrypted, paper records left in open reception areas, key business systems and web sites are left running out of date software and unpatched. With GDPR it is imperative to ensure you take steps to secure your data.
6. Know Who Has Access to your Data & Enforce the ‘Need to Know’ Principle. Often Admin rights to key devices, servers and systems are left open or poorly controlled resulting in the accidental or malicious loss of data. Always ensure that only authorised persons who need the data to perform their work are able to access this. Developing a best practice framework or standardizing business processes will lower the risks and reduce the damage and consequences arising from getting hacked.
7. Ensure the Use of Data Fits the Stated Reason for its collection. As with recent events in the news, always ensure that the purpose and use of the data is aligned to the original reason it was collected. Any mis-use will be poorly looked on by the UK Data Watchdog.
8. Put Controls in Place to protect privacy and prevent intrusion and misuse. Continuing to market to individuals who have made it clear they do not want to be contacted is an absolute “none starter” and your business needs to ensure opt-out controls are set in place to protect these individuals.
Useful Supporting Resources:
Naimuri is a cyber security & technology company based in Media City.
For further information on their services and to obtain a free ‘Digital Footprint’ of your business, contact firstname.lastname@example.org, or alternatively check out their latest technology and cyber related insights on https://www.naimuri.com/insights.
Daulby Read is an insurance broker company based in Chester. For businesses that attended the event, Daulby Read have created a useful ‘GDPR Readiness Toolkit’.
For further details on this and other related Cyber & GDPR insurance related matters, please contact Peter Goddard (Peter@daulbyread.co.uk) and quoting the event name and date in the email subject.
One Creative is a small start-up marketing and business development consultancy. We provide marketing, business development support and mentoring to sole traders, SME's and start-ups. Please follow us @onecreativeuk
Information Commissioner's Office (ICO). For further information about GDPR the ICO has a wealth of information on their website.