The General Data Protection Regulation (GDPR) is high on the agenda for many companies, especially when they read some of the scare stories and blogs out there. It can seem daunting and impossible to know where to start to comply with the European Union’s (EU) data protection reform.
Indeed, there are so many scare stories out there about businesses being closed as a result of GDPR: “GDPR will stop dentists ringing patients to remind them about appointments,” or, “cleaners and gardeners will face massive fines that will put them out of business,” or, “all breaches must be reported under GDPR.”
Many new businesses have started on the back of GDPR; offering expert advice to solve your problem. And countless other companies are trying to sell everything under a GDPR banner. I met a new GDPR business owner last month who told me that he was going to buy his new boat on the back of the consultancy work he would be getting out of GDPR.
However, the reality is different. GDPR is about putting the protection of individuals’ personal data first, it is not a license for companies to offer ever-more complex systems to solve seemingly impossible problems. Most companies want to protect the personal data they have. Indeed, much of what is required for GDPR is already best practice for many companies.
What do you need to know about GDPR?
GDPR affects any organization that does business in the EU. The regulations try to ensure personal data is stored and transferred with strong data protection in place. You should know what is collected, how it is stored, who you share it with and how it is protected.
You should be ready to report a breach to your local data protection authority within 72 hours of learning of the breach and, in some cases, also be ready to report the breach to individuals impacted by it. And finally, you should be aware that fines for not doing this can be large, up to 4% of annual turnover.
So - what can you do?
Start to understand the data your business collects and uses. Record and limit who can access personal data - especially when you are sharing that data out of your organisation. Make sure that you encrypt as much of that personal data as possible, and anonymise or ‘pseudonymise’ it.
Most breaches are the result of stolen credentials. It is therefore critical to make sure users are who they say they are. It is no longer enough to simply rely on a password to do this as they can easily be stolen. Multi-factor authentication protects against unauthorized access using stolen credentials.
There is no single solution out there that will ensure compliance, but doing the security basics well will help you protect your company’s personal data and help you comply with GDPR. It is critical to make sure that the users who access sensitive data are who they say they are, use complex passwords, need access and are protected by using multi-factor authentication.