The new EU General Data Protection Regulation (GDPR) will be introduced on 25 May 2018. The regulation will be an overhaul of the UK’s current Data Protection Act (1998).
The new data protection laws will apply to businesses and public sector organisations of all sizes, and the regulation enforces new guidelines for data handling that both data processors and data controllers must abide by.
The purpose of GDPR
As we find ourselves in a new age of technology, companies are now able to store more Personally Identifiable Information (PII) data than ever before. This means that there is a greater need for customers’ personal information to stay protected, and this is what the General Data Protection Regulation aims to achieve.
Along with companies now being able to store more data comes a rise in cyber crime activity, as cyber criminals become more advanced in their efforts to target companies. Recently, well known organisations have found themselves victims of cyber security attacks, such as the WannaCry ransomware which affected NHS England as well as hundreds of other companies globally.
In total, there were 50 cyber incidents reported to the ICO across different industries between the period of April-June 2016, compared to 119 between January-March 2017 (a 138 per cent increase).
Investing in cyber security
E-learning and training provider Virtual College say that in order to be compliant for GDPR, businesses need to ensure that their technology and software is updated to protect stored data from cyber security threats.
Peter Hilliard, head of marketing at Virtual College comments, “There will be several key changes between the Data Protection Act 1998 and the GDPR that you need to be aware of. You need to start thinking about some of these changes now so that your business can be ready when the law changes. Virtual College have developed a free overview course that explains the changes that you need to be aware of as a risk owner.”
A study with IT professionals in 200 businesses by CA Technologies revealed that to meet with the GDPR deadline next May, almost nine in ten (88 per cent) of businesses stated that they need to invest in new technologies and services. Plans for investment in technology included the following areas:
Encryption (58 per cent)
Analytics and reporting (49 per cent)
Test data management (47 per cent)
Businesses spent on average £4,590 in the last financial year on investment into cyber security, according to the government’s Cyber Security Breaches Survey 2017. Predominantly, sectors which deal with finance, insurance and information or utilities sectors spent the highest amount. Education, health or social care sectors typically spent a relatively low amount in comparison, despite cyber security been considered a high priority.
Some of the UK’s leading IT companies have provided answers below to key questions surrounding how businesses should prepare for GDPR.
If a business has not updated technology correctly or is still using outdated software, what are the potential cyber security risks?
“This is a big problem as you are opening yourself up to hackers and the potential of an attack. Even simply ignoring an update is creating a risk,” says Harshini Carey, regional director at KMD Neupart UK.
“Technology has a shelf life, needs constant updates and maintenance, and failing to keep technology up to date results in vulnerabilities and being exposed to hacks, malware infections or ransomware attacks to mention a few,” commented Austen Clark, managing director at Clark IT.
What processes can a business put in place to be ‘GDPR ready’?
“Employees need to be sufficiently trained to take the proper precautions, be it with surveys, educational videos, or one-on-one meetings. The truth is that in order to become – and stay – compliant with the GDPR, organisations will have to establish the right processes that will ensure continual compliance. Information and data security need to be a part of every aspect of a company, its very foundation, for it to have a chance of succeeding,” says Carey.
“In order to prepare, small businesses should avoid the unnecessary usage of multiple disparate data systems, as they will need to account for the data they are holding by proving it is relevant to their business including the legal justification (including consent) for doing so. They must also have in place the ability to manage and respond to customers’ Subject Access Requests in a timely and efficient manner. Finally, SMEs must re-examine their cybersecurity systems to make sure they are up to date and capable of protecting any data they are storing,” comments Phil Beckett, managing director of Global Disputes and Investigations at Alvarez and Marsal.
How can a business know the right amount of money to invest in IT and cyber security?
“There is no right answer to this, but taking this seriously is important – how much value do you place on your reputation? We read news of a breach to a business, and the stigma of being unsecure stays with the victim, confidence and integrity is damaged and can be more damaging than the initial financial loss.
“Almost all software has a lifecycle. Software engineers are tasked to manage and maintain this during its lifespan. When it reaches the end of its useful life these engineers move on to the ‘new’ software leaving the older unsupported software vulnerable to future attacks – this is what happened to the NHS.
“Many actions cost nothing, like changing your password, locking your phone, educating yourself. Other steps have minimal cost, like install a malware and antivirus package, or ensuring your router and firewall are secure and up to date,” comments Clark.
Read Virtual College’s guide to GDPR here to find out more about what your business can do to be prepared for the new regulations. Or you can register for Virtual College’s free ‘An Introduction to GDPR’ online course, which is available to anyone who is looking to find out more information.
