As a small to medium sized business owner you may be aware of the looming GDPR regulations soon to come into play. GDPR stands for General Data Protection Regulation and will come in to effect on the 25th May 2018. The new regulations carry heavy fines for any businesses handling data in an insecure fashion which unfortunately happens more often than you might think. Let’s convert this into Layman’s terms. How does this translate in real life? Below are a number of common scenarios that occur in today’s business environment:
- A user copies data on to a USB stick to transfer elsewhere.
- A users transfers data using an insecure FTP server.
- A user leverages an insecure cloud sharing tool. Think: Using a share link with no login required. What is the cloud provider doing with your data? How are they storing it?
Sound familiar? These use cases are rife in the business space. Of course there is much more to the new regulations than these scenarios but these very common cases would attract a large fine.
Maybe I’m exempt?
This isn’t likely. Any company that works with information associated to EU citizens will have to comply with the requirements of the GDPR.
Before the GDPR, the Data Protection Act was the basis of many information governance policies protecting particular data types in the UK. GDPR’s scope is a lot wider. The GDPR considers any data that can be used to identify an individual as personal data. It includes things such as genetic, mental, cultural, economic or social information. So if you think you don’t need to worry about it… think again!
What can we do about GDPR?
There are a lot of solution providers with their own solution to GDPR. Some of these products are fantastic but offer a lot more than what a business in the SME space might need. These products can also be very costly.
Think! You may already have the technology in place to assist. In most cases the technology has not been configured for this use case yet it is capable of getting you half way there if not more! For example, many companies use a Windows based infrastructure. Microsoft offer things like file auditing, removable device polices and file encryption as part of their operating system and Exchange/Office 365 DLP policies for their email solutions (these features have been around for quite some time).
As a result of correctly configured technologies combined with enforced and well thought out business processes, we can bring our data practices into a compliant state. With the correct attitude we can help business stay on the legal side of the upcoming regulations.
The ICO is helping inform businesses of the upcoming change and has some great information. Take a look: https://ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/
Preparing for GDPR does not need to be a costly exercise if you engage the correct specialists in good time. Contact us to see how we can help firm up your data compliance posture.
As always, please feel free to comment and share.