There’s some big changes coming to the world of data protection in the form of the new General Data Protection Regulation (GDPR), which comes into effect on May 25th.
For those of you who are unaware, GDPR is an update and revision to our existing data protection laws. In real terms it is a major shake-up of how we all process, handle and store personal and customer data – and punishment for those who flout the laws also just got a lot tougher, too.
Currently, those of us living in the EU have been working under the Data Protection Directive, which was initially approved over 20 years ago. This directive sought to protect the privacy of European citizens and restrict the distribution of sensitive personal data. GDPR has been developed to standardise data protection requirements for all EU countries. It came into law in April 2016 and, for the last two years there has been a grace period, before coming into full effect on May 25th, 2018.
In simple terms, one of the biggest changes will see companies have to obtain implicit consent to continue sending you marketing information. Good news for your inbox which, should, see a lot less junk mail – especially from companies that you once bought something from in 2003… They need to ask your permission to carry on bombarding you with emails. If you don’t give them that permission they should cease – if they play by the rules.
But what, I hear you cry, has this got to do with my IT systems? Well, GDPR is about a lot more than just the amount of junk mail that fills up your inbox.
GDPR could ask some serious questions of your IT infrastructure. Company data breaches have hit the headlines in a big way in the last few years and in our always online world that we now live, there are hackers out there always seeking to exploit vulnerabilities of businesses large and small.
It’s easy to think that these issues only concern the big boys in the industry, but with the arrival of GDPR that is most certainly not the case. Any data breach even of a single record of data after 25th May will legally have to be reported to the ICO within 72 hours, so how prepped is your IT systems to prevent this from happening?
What questions should you be asking?
- At minimum ensure that your Servers, PC’s and devices are patched to their latest security updates and your passwords are strong and regularly updated. But this is really just the start… Have you evaluated how secure the internet connection to your business is? Can you do more to stop a breach from source? Should you encrypt all the data you store or are you storing your data in the safest place?
- Look at where you store your data: Technical and security systems must be up to date, secure and must also include back-up facilities. What happens if there is a security breach? Is your data encrypted?
- If you use a marketing company, for example to send and receive emails on your behalf, then there must be a data processing agreement put in place which requires the contractor to comply with GDPR. You will have to keep records of data processing activities – i.e. dates and times at which you amended, moved, updated your data. How do you send and receive data? Is it, at the very least, password protected? Do you use a secure file sharing service?
- People may be able to request copies of all the data you hold on them – and ask for all personal data to be erased and so forgotten once no longer required. You will have 72 hours to report any data break to the Information Commissioner’s Office and to every subject whose data was breached.
- What PCs and laptops do you use? How old are they? Are they supported with the latest security or are they an easy way in for hackers? We all saw what happened with the NHS cyber attack last year which happened, in part, because staff were using 16-year-old Windows XP systems..
These are just some of the many questions that business of all sizes should be asking of their IT providers. If you need any help or advice on how GDPR could affect your business speak to us today on 01726 241701 or drop us an email here