The hype that surrounded the introduction of the General Data Protection Regulation (GDPR) earlier this year directed a spotlight on the thorny issue of data privacy.
In essence, the GDPR is about protecting and enabling the data privacy rights of individuals, handing power back to the data’s owner, whether it consists of location data, online identifiers like usernames, IP addresses or cookies, or other records. This is important as loss of personal or work-related information is a huge problem for businesses of any size or sector – almost half of UK businesses have fallen victim to cyberattacks or security breaches in the last year, costing them each thousands of pounds, according to a UK government report.
The task of effectively handling, managing and securing data is challenging enough, but under the new directive, customers can ask, in certain circumstances, that any data that a company holds on them be located and deleted upon request – posing an even greater obstacle to many firms’ efforts at compliance.
The arrival of GDPR means greater penalties for data loss can be imposed, so it is essential that businesses are compliant. However, recent data suggests that many companies are still struggling with their compliance efforts. A poll by The Governance Institute (ICSA) shows that over three-quarters (78 per cent) of organisations surveyed have found becoming compliant with GDPR to be “a heavy burden” on their resources.
The poll claims the increased workload, strain on IT and problems with third party contractors meant that just 50 per cent of organisations were fully compliant with GDPR when it came into force on 25 May this year.
Elsewhere, research by Spiceworks, a leading forum for IT professionals, shows that larger companies are taking compliance more seriously than small firms, with higher amounts of budget allocated for compliance. However, GDPR affects every organisation, and small and mid-sized companies can fall victim to data breaches as much as the enterprise.
For example, global ransomware attacks are soaring, with 86 per cent of IT Managed Service Providers (MSPs) reporting, in a recent survey, that their small to medium-sized business (SMB) clients have been victimised by ransomware. Further, 99 per cent of MSPs believe the frequency of SMB-targeted attacks will continue to increase over the next two years.
Having a business continuity and disaster recovery (BCDR) policy in place should be essential for any organisation to protect customer data from accidental loss or criminal data breach. But in the case of GDPR, it ensures the integrity of the data, and can help companies recover from a ransomware infection. For example, research shows that with a reliable backup and recovery solution in place, 96 per cent of companies can fully recover from ransomware attacks.
Ultimately, anyone charged with protecting data should assume it’s the most important data in the world – otherwise they will run into problems down the road.
How to pass a GDPR health check
Being GDPR compliant requires understanding the data you hold, your policies and processes for managing that data and training employees to ensure they understand and can comply with these regulations. Mapping out how data moves through the company and where it is stored – whether it’s in emails, CRM systems, cloud applications or on a backup appliance – is a good starting point. With a full and thorough understanding of your data landscape, it will be a lot easier for you to identify any gaps that need to be addressed.
Once you understand your procedures, you should review and update your security policies. IT solutions can play an important role in GDPR compliance and adequate data protection. There is no one size fits all solution, but at the very least, businesses must ensure they carry out regular security health checks of their entire IT environment. Health checks should include reviewing whether firewalls are correctly configured, ensuring all devices have had up-to-date patches applied and are running the latest software versions, and whether encryption is enabled.
When it comes to defending against cyber-attacks and data breaches, human error is often an issue, so educating your employees is crucial. Technology can also be used to enforce consistent security policies across the organisation – such as blocking unencrypted devices or only allowing access to those files and applications that the employee actually needs.
Businesses must also ensure the ongoing confidentiality, integrity and availability of processing systems and services, as well as having the critical ability to access personal data in a timely manner in the event of a physical or technical incident. A key consideration is how long data should be retained and how it can be managed and deleted. Backup solutions should provide options for customising data retention schedules to meet an organisation’s business needs, as well as the ability to delete backups from the system.
With more data being processed and stored, cyber threats continuing to grow and with regulations such as GDPR being implemented, managing data is becoming increasingly complex for small businesses. However, the good news is that many MSPs have added GDPR consulting to their portfolio, partnered with legal firms and independent GDPR experts and are now in a strong position to support their customers – giving peace of mind to the small businesses that rely on them as their trusted advisors.
Non-compliance with the new regulation can not only cause reputational damage to a company but also result in substantial fines. In the coming months, case law and experience will shine a stronger light on exactly what the regulation means in reality. But one thing is clear enough: no business can afford to bury its head in the sand – and if you need help with getting your data processing in order, you should get it now.
Campbell Hutcheson, Chief Compliance Officer, Datto
Image source: Shutterstock/Wright Studio