A worrying report surfaced in June that nearly a quarter of UK small businesses have not yet begun to prepare for the EU’s General Data Protection Regulation (GDPR). The new regulations, which will come into force on 25 May 2018, have been put in place to attempt to provide EU citizens with more control over how companies and organizations make use of their personal data.
Heavy fines of up to €20 million or 4% of global turnover can be applied to those companies that don’t follow the regulations, so if your business isn’t currently preparing for GDPR, now is the time to start. And for those companies relying on Brexit overruling this legalization, it should be noted that it will come into force before the UK can leave the EU. Even after the UK leave the EU, the Data Protection Bill will take precedence, which bares a great resemblance to GDPR, so you do need to be prepared. You cannot afford complacency with these regulations. That's why I've put together six steps that will help your business prepare for GDPR.
Step One: Educate Yourself
In the same report, 14% of small businesses revealed that they didn’t even know what GDPR is. In fact, just 7% of the companies that responded said that they had a full understanding of the rules. It’s likely that no matter where you stand on the issue, you could do with learning more about how the regulation works.
One of the reasons that GDPR is being brought in is to make businesses accountable for breaches and loss of data. This means that you need to not only put in place security to features, but also take the time to understand how hackers operate. Whether you’re a director in the business or the manager of the IT department, it’s up to you to lead from the front and have a full understanding of the risks.
Step Two: Work with an Experienced Cybersecurity Firm
If you don’t currently understand the rules regarding the incoming legalization, then it’s vital that you start to work with a business or expert that does. Choose an experienced and knowledgeable cybersecurity firm with extensive GDPR services. They will be able to review your current system to establish how prepared you are for GDPR. You will also be able to rely on their help to implement the new elements of the system.
Step Three: Make Sure Everyone in the Business Understands
It’s vital that you don’t leave the work of sorting out the regulations just to the IT department – everyone in the business needs to be made aware of the new rules surrounding data regulation. Coming into line with the rules will likely mean you will need to change the policy and keeping your whole team informed will ensure that the proper procedure is followed.
Step Four: Work from Your Current IT Security Policy
Once you have got to grips with what the regulation entails and what it means for your business, you need to take a look at how you currently handle data and the range of IT security measures you have in place. Consider what types of data that you currently collect from your customers and clients, and where this data is stored. With the new GDPR regulation, one rule is that customers have the right to ask businesses to erase their personal data. This means you must have the capability to do this – it may involve completely changing the method in which you store the data in the first place.
When you have a good understanding of your current system, you can establish which elements already fall in line with the regulations and which need to be altered.
Step Five: Change Your Privacy Policy
For many businesses, the privacy policy is simply a piece of legal documentation that needs to be abided by, but bears little relevance on the day-to-day actions of the company. So it can be easy to forget that your privacy policy will likely need to be changed. In the current systems, customers are required to opt out if they don’t want their data to be stored. However, many don’t realize that this is possible. The GDPR rules state that customers must opt in to data storage, which should make the whole system fairer.
Step Six: Be Prepared for Assessments
This legislation is being taken very seriously and it is likely that you will face assessments to ensure that your policies have come into line with the rules. Don’t assume that you will be able to claim innocence through ignorance of the rules – fixed penalties will be applied to companies that do not comply. It’s a much better idea to get your GDPR policy sorted as soon as possible so that the whole business is used to it by the time the regulations come into force.
Applying these steps to your business will do so much more than just prepare you for legal changes. The whole point of the GDPR policy is to keep companies better protected and able to deal with breaches in security. Putting into place the right strategies and systems can keep your business secure for years to come.
About the Author
Mike James is an independent writer, tech specialist and cybersecurity expert based in Brighton, UK. Published in many of the leading online and print magazines, he is a featured writer on Ethical Hacking, Penetration Testing - and how best these technologies can be implemented to businesses of all shapes and sizes. Mike often works with Redscan, a leading supplier of cybersecurity in the UK as well as a number of other companies. Also writes about the odd recipe and exercise regime, when not on the heavy geeky stuff!
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign