It’s set to be a turbulent year for data protection and security in the UK, and one that will affect the way you manage data within your organisation.
One of the biggest factors to change is the arrival of the EU’s General Data Protection Regulation (GDPR). Coming into force in May 2018. The GDPR aims to make it easier for individuals to understand how their data is handled and what it’s used for.
For businesses, this means a stricter code of conduct in terms of data protection. The new EU regulation overrides national law, meaning the GDPR will supersede the current UK Data Protection Act (DPA) that has been in place since 1998.
Getting ready for GDPR
Regardless of the effects of Brexit, UK SMEs and large organisations alike that process data regarding EU individuals will be subject to the General Data Protection Regulation (GDPR).
“Processing” of data refers to obtaining, disclosing, recording, holding, using, deleting or destroying personal information – essentially, whatever you do with information digitally inside your company.
The GDPR is subjective: it’s about the data, not the company. It’s about whether the data you handle concerns individuals residing in the EU, not whether your organisation is in the EU. Indeed, even monitoring the behaviour of an EU individual – through implementing website cookies on your site, for example – can make you liable to the GDPR.
And with monitoring features like cookies now more or less ubiquitous, companies that offer a digital service like a web app, platform or website (which is more or less every company) accessible by EU individuals must comply with the GDPR by 2018. The new regulation also voids the distinction between personal and business addresses. A marketing email that identifies a person (firstname.lastname@example.org, for instance) will require consent, and it is up to the sender to prove that consent was given.
Whether your business is B2C or B2B, the incoming changes will most likely affect you.
The GDPR is casting a much wider net when it comes to the collection, storage and use of EU citizens’ personal data. As such, you need to be more vigilant than ever when it comes to data protection. The following are five areas of focus when it comes to data protection best practice.
1. Secure the cloud
Processing data in the cloud presents a risk. The personal data which you are responsible for is not located in the known confines of your on-premises network, but instead processed in systems managed by your cloud provider. You therefore need to assess the security measures your cloud provider has in place to ensure they are appropriate.
We can advise you on your options to work within a secure digital workspace. Read more about our services provided by Citadel. Read more>>
2. Understand what you have
Given just how much data we now generate, part of keeping it secure involves understanding which information is and isn’t valuable to your company.
- Necessary: ensure you only collect the most necessary information, as systems can quickly get overcrowded. Usage logs can help you identify content that is no longer being used.
- Secure: it is your legal obligation to keep customer information secure. Data encryption and user training are vital parts to this – you can’t afford employees unintentionally sharing information they shouldn’t.
- Readily available: under the GDPR, an individual can ask if your organisation holds any personal information about them, known as a ‘subject access request’. In this case, you must reply within 40 days. Make sure that your staff can recognise subject access requests and quickly find the relevant information.
3. Staff training
Whether intentional or not, it’s common for employees to be the main contributors to data breaches. Accidental disclosure and human error – from sending an email to the wrong recipient to opening an attachment with malware – are the main causes for breaches in personal data, according to the UK’s Information Commissioner’s Office (ICO).
By ensuring your employees acknowledge and understand their roles and responsibilities, you can greatly improve data protection across your organisation. Train your staff to make sure they understand the right and wrong places to share information regarding the company or customers.
4. The right to retain
It is good practice to review and refine the length of time you keep personal data.
Ensuring that any personal data is disposed of when no longer needed will greatly reduce the risk that it will become out of date, irrelevant or inaccurate. Always consider the purpose for which you are holding information, whether that purpose should constitute keeping hold of the information. Information that is out of date should be updated, but if it is no longer needed for this purpose, it should be securely archived or deleted.
5. Audit your activity
Unaware or inexperienced users are more prone to mistakes when it comes to keeping content secure. Running audit logs are a great way to keep on top of company content – where it’s going and who it is accessed by. By monitoring your systems and services, you can be alerted to any suspicious behaviour or activity. So, make sure this is the case in your organisation – ensure you can check what software or services are running on your network, and make sure you can identify when there is something there which shouldn’t be.
Now’s the time to be thinking of developing a traceable and transparent system for recording communication with your customers and prospects. Synergy Technology can advise you on CRM solutions and emarketing options to create a system suitable for your business. Read more >>
A wider reach than ever
The territorial reach of the GDPR is considerably broader than the UK’s current Data Protection Act. You can be subject to the GDPR if:
- You hold data about individuals that reside in the European Union.
- You handle data in the context of offering goods or services to an individual in the EU, or if you monitor their behaviour.
It is important that SMEs residing in Britain can fully identify with the current and future security of their data to ensure they don’t get caught in the increasingly wide net of data regulation. Given the associated fines, it very much pays to be educated on the details. Read our Spring edition of Business Talk to help to fully understand the implication of GDPR on your business.
This article is a guide only. To fully comply with the changes to Data Protection regulations that will be in force by May 2018, please also check the Information Comissioner’s Office (ico) website for regular updates.
Synergy Technology will be hosting GDPR workshops across the region during the next few months. To register your interest in attending a workshop please contact Synergy Technology for further information.