GDPR: Have you got it sussed?
A matter of data
July 5th 2017
In less than a year the General Data Protection Regulation (GDPR) comes into force – and organisations that fail to comply could face multimillion pound fines.
Never before has it been so important for organisations to ensure the safety of data in their care. Perhaps this explains why the Government’s Cyber Security Breaches Survey found the need to protect customer data was the top reason for investing in cyber security measures. Worryingly, it also found that organisations holding personal data were more likely to suffer cyber breaches than those that don’t – 51% compared to 37%. Such breaches could cost organisations seven-figure sums.
With the GDPR clock ticking, we spoke to Virgin Media Business’s resident security guy, Dave Sirignano, who answered six questions all organisations should consider.
What does GDPR mean for my organisation?
GDPR comes into effect from 25 May, 2018. If you suffer a breach after the onset of GDPR and it’s found that you haven’t complied, you are liable to be fined. This can be up to 4% of global turnover, so it’s extremely important to comply.
I want to comply, but where do I start?
Hold a personal data audit on your company. First find out what personal data you hold, bearing in mind that with GDPR personal data is anything that can identify you as an individual. Even IP addresses come under the umbrella.
Next, find out where the data is stored and weed out any unnecessary records or data collection your organisation is engaged in. For data collected for legitimate purposes, make sure sources are aware of why and how it is being collected and processed. Under GDPR, the importance of their consent is even more important than it was before.
It’s not enough to get people to accept terms and conditions. Individuals must be explicitly told how their data will be processed and why.
Will GDPR mean a lot of work?
This depends on how security-conscious your organisation is already. If you’re ISO27001-certified then you meet industry best practice and are in good shape. GDPR requirements include a resilient network, extensive documentation, and robust incident response and business continuity processes.
If you don’t have such good ‘security hygiene’, big changes will be needed and there will have to be a culture shift within the organisation. You will need a greater understanding of your organisation’s personal data holding.
GDPR also necessitates ‘Security by design’. Every new product, application or network must incorporate security from the word go. It can no longer be an afterthought, nor can products be rushed out to market without security being taken into account; the result could be a hefty fine.
Are third parties affected by GDPR?
In a word, yes. Whereas Data Protection legislation focused on the data controller and its specific responsibilities, GDPR will extend that to the data processor. For example, if your organisation collects data and sends it on to a third party that has a breach, under GDPR both organisations will be liable.
Does GDPR compliance mean you’re secure?
No, it doesn’t. Compliance is security by numbers. You’ve got a checklist and you tick the boxes. That doesn’t change the underlying culture of an organisation and its attitude to security. A lot a breaches are down to human error in response to things like phishing. So staff need to be aware of security risks in order to guard against such events.
GDPR compliance could make organisations complacent when it comes to their security. Don’t fall into that trap.
What will happen if I comply to GDPR’s requirements but still suffer a breach?
Ultimately, GDPR will mean a better service for customers. Organisations that make sure all processes are documented, know where their personal data is stored, protect it properly and encrypt it when it’s at rest, are securing individuals’ information.
In addition, under GDPR any losses of availability must be recovered as soon as possible. All this is a good thing for everyone. If you still go on to suffer a breach, but have documented your processes and done everything expected, my understanding is that your fine will reflect the efforts you’ve gone to.
Dave Sirignano is a Business Information Security Consultant at Virgin Media Business.
To find out more about GDPR, why not come to the Virgin Media Business Security Seminar on Wednesday 12th July at the Etihad Stadium in Manchester? We are co-hosting the event with international law firm Eversheds Sutherland and will be joined by SecureLink and Palo Alto Networks.