GDPR: Have you got it sussed?

In less than a year the General Data Protection Regulation (GDPR) comes into force – and organisations that fail to comply could face multimillion pound fines.

Never before has it been so important for organisations to ensure the safety of data in their care. Perhaps this explains why the Government’s Cyber Security Breaches Survey found the need to protect customer data was the top reason for investing in cyber security measures. Worryingly, it also found that organisations holding personal data were more likely to suffer cyber breaches than those that don’t – 51% compared to 37%. Such breaches could cost organisations seven-figure sums.

With the GDPR clock ticking, we spoke to Virgin Media Business’s resident security guy, Dave Sirignano, who answered six questions all organisations should consider.

GDPR comes into effect from 25 May, 2018. If you suffer a breach after the onset of GDPR and it’s found that you haven’t complied, you are liable to be fined. This can be up to 4% of global turnover, so it’s extremely important to comply.

Hold a personal data audit on your company. First find out what personal data you hold, bearing in mind that with GDPR personal data is anything that can identify you as an individual. Even IP addresses come under the umbrella.

Next, find out where the data is stored and weed out any unnecessary records or data collection your organisation is engaged in. For data collected for legitimate purposes, make sure sources are aware of why and how it is being collected and processed. Under GDPR, the importance of their consent is even more important than it was before.

It’s not enough to get people to accept terms and conditions. Individuals must be explicitly told how their data will be processed and why.

In a word, yes. Whereas Data Protection legislation focused on the data controller and its specific responsibilities, GDPR will extend that to the data processor. For example, if your organisation collects data and sends it on to a third party that has a breach, under GDPR both organisations will be liable.

No, it doesn’t. Compliance is security by numbers. You’ve got a checklist and you tick the boxes. That doesn’t change the underlying culture of an organisation and its attitude to security. A lot a breaches are down to human error in response to things like phishing. So staff need to be aware of security risks in order to guard against such events.

GDPR compliance could make organisations complacent when it comes to their security. Don’t fall into that trap.

Ultimately, GDPR will mean a better service for customers. Organisations that make sure all processes are documented, know where their personal data is stored, protect it properly and encrypt it when it’s at rest, are securing individuals’ information.

In addition, under GDPR any losses of availability must be recovered as soon as possible. All this is a good thing for everyone. If you still go on to suffer a breach, but have documented your processes and done everything expected, my understanding is that your fine will reflect the efforts you’ve gone to.

Dave Sirignano is a Business Information Security Consultant at Virgin Media Business.

To find out more about GDPR, why not come to the Virgin Media Business Security Seminar on Wednesday 12^th July at the Etihad Stadium in Manchester? We are co-hosting the event with international law firm Eversheds Sutherland and will be joined by SecureLink and Palo Alto Networks.