GDPR is primarily a legal issue, not an IT issue
GDPR is a hot topic right now and chances are you’ve been busy learning and finding out about how it impacts your business and what you need to do in order to be prepared for its introduction come May.
Here at Computer Geeks, our team have been assessing the issue of GDPR and what it means for our clients. GDPR is largely an issue about compliance and in this sense, it’s a legal issue that is best explained by those in the legal profession rather than those in IT. However; one thing remains crystal clear; the EU’s new data protection regulation will have a major impact on IT. Organisations that handle personal data may need to carry out comprehensive adjustments of their IT systems, infrastructure and processes to meet the demands of the new data protection regulation. Clients need to fully prepare themselves for this impact in terms of helping get their IT infrastructure, data and systems ready and compliant in time before the new regulations arrive.
So what is GDPR?
GDPR introduces tougher fines for non-compliance and breaches and gives people more say over what can be done with their data. In addition, subject access is changing and there will be an onus on organisations to demonstrate compliance with data protection from the outset.
The GDPR increases penalties for non-compliance – fines may be up to 4% of total global annual turnover or €20 million, whichever is greater.
All organisations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be able to comply by May 2018.
For more information and advice about GDPR we recommend the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
How the Geeks team can help:
There are areas around GDPR that we are expert to advise on and help with;
Encryption and Data Security
Encryption is one of the most popular and effective data security methods used by organisations. The purpose of data encryption is to protect digital data confidentiality as it is stored on computer systems and transmitted using the internet or other computer networks.
GDPR requires businesses to implement technical and organizational measures to provide appropriate protection to the personal data they hold. With the introduction of GDPR, encryption and other security measures are established as data protection standards responsible organisations are expected to utilize or face the consequences.
We can help you to make sure you have the right technology and solutions in place to encrypt all personal data held by your business or organisation.
Similarly, The GDPR will introduce a name-and-shame mechanism whereby businesses will have to notify the data protection authority if there is a security incident that affects the integrity, confidentiality or security of the personal data that they hold. If the breach is likely to result in discrimination, identity theft or fraud, financial loss, damage to reputation, or other significant economic or social disadvantages for data subjects, businesses will have to notify the breach to the affected data subject.
Importantly, no notification to the data subjects will be required if businesses have implemented appropriate technical and organizational security measures in respect of the data that were affected by the breach.
So, if, prior to the breach taking place, the data were rendered unintelligible, for example by means of encryption, businesses will not have to notify the data subjects of the breach.
An important aspect of GDPR compliance is ensuring that the data you do hold and store is controlled and safely protected. To control data, it is highly advisable to centralise and store it in the right place so that it can be safely monitored and controlled. For example, if you are a business currently running on multiple laptops with no servers, then it’s impossible to control that data unless it’s centralised. We can help create a virtual situation for your business moving to a server environment with a robust back up and security plan in place.
Backups and disaster recovery
Backup and disaster recovery is essential under GDPR. Organizations are held responsible for their ability to recover lost personal data that they hold in a timely manner. In order to remain compliant, they must have the necessary backup and disaster recovery strategies in place and actively take the time to regularly test the integrity and the effectiveness of the solution.
Otherwise, your organisation could be looking to face heavy fines for failing to protect the data that you hold and monitor. We see more and more organizations falling victim to sophisticated ransomware and cyber-attacks because they do not have the necessary backup and disaster recovery solutions in place.
Our extensive experience and expertise in delivering our Remote Unlimited services for our clients means that we can provide you with real-time support and servicing for all your IT infrastructure, including Managed Threat Protection (Antivirus cover and Endpoint Management), unlimited backup licenses for your virtualized servers and fully-automated backup strategy and alerting if any failures, data breaches, or warnings do take place.
The Right to be forgotten (RTBF)
The right to be forgotten will be one of the most challenging parts of GDPR compliance.
From May 25th 2018 onwards, if a company is presented with an RTBF request, they will have 30 days in which to find that individual’s information and delete all records of it that are no longer being used for their original purpose, unless they are required to be held for other regulatory reasons.
We can help you to look at your IT systems and policies to understand how compliant you already are and what needs to change.
Furthermore, we can help your business map the data flows in and out of the organisation to build a picture of where the GDPR data is going and who it is going to. Ultimately, monitoring and scanning for critical GDPR information will highlight what your business is already doing, what needs to be done to become compliant, and therefore where there are gaps.
There is also a need to understand how GDPR data is shared – e.g. contact lists sent to a telesales company. We can help work with your departments that hold critical data in order to map data flows that will create understanding. It’s worth remembering that even when the information or data goes outside your organisation, this data is still your responsibility, so you need to know who you’ve shared it with so you can make a corresponding RTBF request should you need to.
Businesses can’t afford to ignore GDPR.
GDPR is a wide spanning regulation touching on various parts of all business; employees, processes, the technology that underpins the business and the activities the business partakes in.
Whilst we can’t advise you about all of the legal and compliance issues involved, what we can do is help to ensure that you have the right IT systems and technology in place to meet the requirements of GDPR and make sure that when it comes to your IT infrastructure and data security, your business will be prepared and ready for the introduction of GDPR next May.