Countdown to GDPR: The last 100 days
13 February 2018
Today marks 100 days until the GDPR becomes enforced across the UK and the rest of Europe. As you’re probably now already aware, from the 25th of May 2018, the GDPR will replace Europe’s existing data directive, and the GDPR’s new data guidelines will be enforced. You can learn more about the GDPR and the impact it will have on UK businesses by clicking on the link below.
100 days to go: what can businesses do to prepare?
Although there are many changes to existing data laws that businesses need to adhere to in order to ensure GDPR compliance, there are probably two critical aspects to the regulation that will have the most impact on the UK’s businesses:
1. Access to personal data and the right to erasure
2. Appropriate data security and accountability.
Let’s take a look at both of these aspects in order to better understand how businesses can prepare for the GDPR with less than 100 days to go.
Access to personal data and the right to erasure
The right to erasure, or “the right to be forgotten” provides individual citizens across Europe with the ability to have personal information “owned” by organisations to be deleted. This critical element of the GDPR is applicable following a number of generic circumstances, including when the individual withdraws consent. In other words, all an individual needs to do in order to ensure their data is deleted is to ask a company to remove all traces from their database.
While finding all data linked to a specific individual seems simple in itself, ensuring every single record of an individual across various data sources including documents, CRM systems, email trails, HR information, marketing lists and even voice recordings is included can be a laborious (and potentially inaccurate) task without the right systems and infrastructure in place. To make things more complicated, businesses have to comply to information requests within extremely strict timelines, and have to provide the data free of charge unless the request is unfounded or excessive.
How can businesses comply with the right of access and right to be forgotten?
Ensuring you have control of your data is critical to being able to comply with these requests. Consolidation of your data into one or two secure locations is key. Remember – this directive applies to old data, including backup data which may be on archived storage such as tape or even printed on paper, so it’s vital that your data is standardised, stored, indexed and managed appropriately. Data management providers such as Nimble (HPE), Cloudian and Infinidat are leaders in this space, so looking their way is a great starting point.
Even when you’ve taken this step, you’ll still need to be able to search through your newly consolidated databases. Data Management and search tools such as Nuix, Index Engines and Prodec’s very own ProCirrus Search allow organisations to search, compile and send any data requested associated with that individual.
Data security and accountability
Ensuring data security is not a new requirement. The UK’s current Data Protection Act already provides stringent guidelines that businesses must adhere to. The GDPR simply builds on this existing legislation, but provides much stronger repercussions for organisations that fail their legal and moral obligations associated with the security of their employee, partner and customer data. Going forward, data security will play an extremely important role in the daily running of a business, and should impact all major business processes including the implementation of new IT, routes to market, and even which suppliers and partners a business uses. Data security shouldn’t be an addon to your business plans – it needs to be an integral part. It’s therefore critical that you don’t approach your IT security systems as an addon to your existing network. Think “security by design”, rather than adding your security as a layer to a pre-existing system.
How can businesses ensure data security in a post-GDPR UK?
Hopefully, for the majority of businesses, you just need to keep doing what you’re doing now. Reviewing your current network and ensuring you have appropriate network security tools to regulate traffic entering and leaving your network is an excellent first step. Vendors such as Cisco, Palo Alto Networks and Fortinet all provide a range of excellent firewalls and security tools that greatly reduce the threat of attack when your data is at rest.
When configured and managed correctly, cloud-based data storage and management can offer enterprise-grade levels of security to your data. If your data currently resides in the cloud, or if you’re considering migrating it there, reviewing your cloud provider’s security infrastructure and security policies is critical.
Even with the best IT security systems available on the market, your network is still only as secure as its weakest ingress point. With a critical element of GDPR data security being accountability, it’s vital that appropriate training is provided to employees. Email-based security breaches are surprisingly common thanks to sophisticated social engineering techniques that can glide straight through firewalls and sandboxes. Ensuring your employees know the telltale signs of a phisher or hacker utilising email as their gateway is just as important as maintaining network security or data encryption tools. Look out for innovative IT security training providers such as KnowBe4, and you’ll be able to cauterise the threat of email infiltration before it becomes an issue.
What are you doing about GDPR with just 100 days to go?
Whether you’re just starting to explore the repercussions of GPDR or are in the implementation stage of your plan, Prodec Networks can help. Prodec offers a range of industry leading data management, cloud and network security services designed not just for GDPR compliance, but for true data security, simple data management, and exceptional business continuity. Download Prodec’s GDPR whitepaper for more information about the GDPR and the impact it will have on UK businesses, or get in touch directly.