Now more than ever cyber security is becoming a pivotal part of how companies operate on the internet. From May 25 2018 a General Data Protection Regulation (GDPR) law shall apply across the EU, which includes the UK.
This means that companies, no matter their size or sector, must adhere to eight principles outlined in the law. Each is designed to protect and strengthen data protection for all individuals in the EU and requires companies to:
- Keep a detailed log of data breach incidents
- Hire a data protection officer if you employ more than 250 people
- Comply with an individual’s right to erasure or to be forgotten
- Be able to export data belonging to an individual and transfer it to a place of choosing.
From May next year this means that if a company faces a major breach of its security, it could face a fine of up to 5 per cent of its turnover — or 20 million Euros, whichever happens to be higher.
As well as keeping information safe, striving for better protection and security is also a ranking factor in Google and has been since 2014. By going to HTTPS (adding a SLL 2048-bit key certificate on your site), Google said that small sites would gain a small ranking benefit, although only a “very lightweight” one that is seen as less influential than high-quality content.
But what can companies do ahead of the GDPR law?
Raising awareness is key within your company to ensure that everyone involved knows just what GDPR is and what consequences it holds. One of the most common mistakes for employees to make is to think that company security has nothing to do with them or is not their direct responsibility.
Businesses should start looking into what personal information it holds, where it derives from, and who it is shared with. It might be an idea to begin an information audit. By doing this a company can review current information and data security measures and make changes in time for May 2018.
These reviews should take into account individual’s rights and how data is handled, deleted, and provided. From this, procedures can be updated and companies can identify lawful basis for processing activity in the GDPR. Reviews should also be made on how consent is recorded and managed and implement any necessary changes to meet the GDPR standards.
One of the most important factors that a company or organisation should consider before next year is how it detects data breaches, and the procedures that are put into place once this happens. Another important measure is to make sure that a company is familiar with the ICO’s code of practice on Privacy Impact Assessments, which you can find here.
It’s also worth noting that if an organisation operates in more than one EU member state, that it should work out your lead data protection supervisory authority. This can be found in Article 29 Working Party.
For more information on what your company can do, check out this article about how SALT.agency is helping its clients achieve the trusted ISO 207001:2013 certification ahead of May.