We've been talking about GDPR for a few months now, we've mentioned it in our podcast and here on the blog. It's a big issue and many businesses still
We’ve been talking about GDPR for a few months now, we’ve mentioned it in our podcast and here on the blog. It’s a big issue and many businesses still don’t quite understand or even know about the changes. So we asked cyber security experts Agenci to give us the need-to-know facts on GDPR.
Who really cares about cyber security?
Let’s face it, Cyber Security isn’t high on the agenda of your average SME. Sure we are bombarded daily with news of data breaches and horror stories designed to make us invest in the latest must have technology. It’s something we know we should take seriously but this stuff happens to other people right? We have better and more pressing needs for our limited resources and limited cash. Well as Bob Dylan says, times they are a changing.
Ladies and Gentleman: I give you GDPR
When it comes to our data and our information, our basic rights have been addressed for a long time by the Data Protection Act. A set of principles to be adhered to by business. Legislation overseen by the Information Commissioners Office and various legal and regulatory bodies. Questionably our approach to data has changed over the years and questionably the powers of those bodies have so far been limited. To address this the UK has worked hard on European wide legislation that puts legal requirements on all business and gives some real powers and teeth to the overseers.
What needs to be done?
In a nutshell the thrust of the legislation is to protect personably identifiable data. That is information about you. That is information about me. And if our data isn’t looked after, well there are sanctions and there are fines. Sounds sensible?
Does GDPR apply to me?
The Information Commissioners Office (ICO) has stated that the new regulations
“…applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.”
So yes, either as a business or as an individual, GDPR applies to you.
Top 10 GDPR Facts
- It’s the biggest shake up of rules surrounding Data Protection since 1998.
- It’s a regulation that is relevant to EVERY organisation, irrespective of size or sector
- If you get it wrong you could face fines of up to 20 million Euros
- Brexit won’t affect it!
- Accountability is at the heart of the regulation
- You will need to seek ‘consent’ to control/process the data you hold
- You can’t outsource the requirements (Data Controllers AND Processors will be impacted)
- You need to have a clear process for managing Data breach incidents
- You’ll need to decide who your Data Protection Officer is – and it probably can’t be you!
- You will need to act
Here are our 10 steps to successfully prepare for the GDPR
- Assign a project leader
- Raise understanding of GDPR to the board and senior management
- Assess your readiness for the new GDPR by performing a Gap Analysis
- Set up a project and develop your project plan
- Conduct a Data Flow map of personal information
- Develop a Data Inventory. What, where, who, why, when and how data is held
- Agree what your organisation will class as personally identifiable information that you hold
- Implement an information security management system such as ISO 27001
- Develop your security incident plans to include data breach processes
- Assign someone to be your ‘Data Protection Officer’
Further information and whole host of resources on GDRP can be found on the Information Commissioners website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Consider working with Organisations like Agenci on providing your Data Protection Officer and getting you GDPR compliant.
Stuart Barker is CEO at Agenci and has over 20 years industry practitioner experience operating at senior levels of management and is a specialist in the implementation and audit of governance and controls frameworks. Agenci specialise in ISO 27001, Pen Testing, GDPR and Cyber Security Incident Management.
Stuart was the Head of Data Governance and Information Security at GE Money Bank and subsequently Santander for over 10 years. He was educated within the GE Management training program for business and holds extensive industry qualifications in governance and security, backed by experience and a track record of delivery. Stuart is a recognised subject matter expert on Data Governance.