Are you prepared for the introduction of EU General Data Protection Regulation (GDPR)?
The UK may have voted to leave the EU but that doesn't mean you can ignore the GDPR. It will affect all UK businesses whether we are in, or out, of the EU. So you need to ensure you understand what GDPR is, how it will affect you and what you need to do to ensure you are compliant.
Although GDPR doesn't come into force until May 2018, implementation can take months; so it's best to start planning as soon as possible.
Is your data affected?
The Commission defines personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address."
The EU intends this regulation to apply to any and all data held on EU citizens, so it will impact on UK businesses that want to process or store EU citizen data. In other words, you will still need to comply with the new regulations even after Brexit.
GDPR means EU citizens will have the right to be notified if their data has been compromised in any way. So organisations must contact their Data Protection Authority (DPA) within 72 hours of learning about a breach. There are no exceptions and failure to comply will result in potentially crippling fines starting at €10 million - or 2% of global turnover.
This is a big ask considering it currently takes around 200 days to detect a breach. You can see this as a burden - or view it as the opportunity it is.
Here are the key issues you need to consider:
- Data protection doesn't just lie with the IT department. It is everyone's responsibility, with the board responsible for leading and implementing a security culture from the top.
- There are some good tools on the market, such as nmap, that allow you to find and classify all your critical information. Once you know where it is, you need to understand how it is being accessed both internally and externally.
- You'll also need to perform a risk assessment. This will tell you where to focus your resources so you can mitigate the risks to your organisation.
- Everyone needs to know their responsibilities and understand why certain policies and processes are in place. Without everyone on-board, your task will be a lot harder.
UK companies have less than two years to implement GDPR processes and systems. Our handy downloadable timeline explains what you need to do, when you should start doing it and how long it should take.
Copyright © 2016 Jamie Graves, ceo of ZoneFox.