By now, you should understand that GDPR is happening next May. No avoiding it.
At the centre of GDPR are Individual rights for data protection. This affects all of us. No one wants to have private information such as bank account and credit card details made publicly available or sold somewhere online.
So when it comes to making sure your business is doing the most to protect sensitive employee and client information, a common question is where do you start?
A good place to start is to assess the threats to any information that is not for public consumption. These threats come in all shapes and sizes. Some of the common ones are:
- Using unapproved apps (popular among millennials)
- Increase in cybercrime such as phishing (baby boomers are especially susceptible), ransomware and viruses
- Bad work habits
Each of these threats bring their own risks and affect to the business. Loss of client trust, reputational damage, disruption to client services and the possibly fines.
We frequently speak with clients who assume that data protection, and the broader idea of information security, is entirely an IT issue. This could not be further from the truth. Look back at the three bullet points above. The one thing they have in common is people, i.e. your employees.
We equate information security to buying insurance. It is a business decision that needs to be made based on risks, and how to mitigate them, in the hope that you never need it. Unfortunately, just like insurance, there is a cost. This comes in the form of time and/or money required to mitigate the risks. It is common for this to lead to putting information security on the back burner. Fortunately, companies have a lot of control over how to deal with these threats and risks.
We began our journey to GDPR and ISO 27001:2013 compliance a few months ago. Here are a few things we learned along the way:
- Senior management must understand the threats and potential impact of increasingly effective cybercrimes, lack of awareness, more onerous compliance requirements and accept that something needs to be done to address these. Business risk is something senior management care a lot about but if they do not already understand the information security risks and the impact of non-compliance, someone has to sell it to them.
- The business needs to assign an internal person to be responsible for information security. Some aspects of information security can be outsourced but the responsibility to protect data resides with the business. This person must have the support of senior management. It is also a good idea to allocate a budget for information security.
- Identify the most valuable information the business has, the risks and impact caused by threats. Imagine your business was victim of the recent Wannacry ransomware. What would that cost you financially? What would be the impact to productivity and more importantly reputation?
- A gap analysis will identify weak points. Put measures in place to mitigate the risks. This could involve investing in more secure solutions or employee awareness training.
- Data protection is not a “one and done” type of thing. It is an ongoing process which regularly checks into the business to see if there new threats or improvements that can be made.
At the end of the day, all businesses are caretakers of certain sensitive information whether that be employee bank details, legal case files or intellectual property. Being able to demonstrate that you are trying to ensure these are as secure as possible is an indication to regulators that you are making an effort which will be viewed favourably if they ever coming knocking on your door.
While the General Data Protection Regulation may seem over baring due to a lot of new rules, it does require everyone to step back and look at current process and resources to ensure that the appropriate measures are in place.
If you would like to talk about how to be better prepared for the May 2018 deadline, we would love the opportunity to talk with you. Feel free to get in touch with us here