In August, up to 34,000 Butlins customers were affected by a data breach, with information stolen including names, home addresses and holiday arrival dates. The company reported the breach within 72 hours, as required by GDPR guidelines, but the event led security analysts to speculate about the ‘gaping holes’ that still exist in the security strategies of businesses more than three months on from the GDPR enforcement deadline.
Research carried out by Apricorn just ahead of the deadline found that more than two-thirds of UK companies were not confident they would be fully compliant by the cut-off date in May. Over 80 per cent cited at least one area they believed could cause them to fail to meet requirements – including a lack of encryption and gaps in employee training. In light of this, it’s very likely that many organisations are still not operating completely within the GDPR guidelines.
There is nowhere to hide, even for those that manage to avoid a breach. Any company can be audited to check they are in compliance and, in the event that they are not and they don’t take action to rectify any shortcomings, remedial fines could apply.
Even for those that are fully compliant today, remaining so will require continued effort. This is something that respondents to the Apricorn survey recognised, with 98 per cent agreeing they will need to invest in policy, people and technology on an ongoing basis.
So three months on, what are the biggest areas of risk for UK companies? Respondents to the Apricorn survey were asked in which areas they were most concerned they would fall short, and their answers provide a good indication of where the greatest risks lie.
Control of data
Fifty per cent of organisations admitted that a lack of understanding of the data they collect and process is their number one concern relating to non-compliance. Mapping and securing all personally identifiable information (PII) should be the number one priority.
Document exactly what data is collected and why, and how it is processed, stored, retrieved and deleted, so you can pinpoint what may be unprotected and at risk. Ensure you are collecting and keeping only the PII you require for legitimate business purposes, destroying anything that’s no longer needed or has been kept beyond the retention policy date.
Those companies which carried out a comprehensive information audit as part of their GDPR preparations cannot sit on their laurels. The work doesn’t stop there. Data is an organic thing, with new information flowing into and generated by the business every day, so this mapping exercise has to be repeated on an ongoing basis.
Once the data is fully understood, the processes and policies around it need to be created, documented and enforced. These should cover the mobile and flexible working practices employees are required to follow, along with the types of device allowed by the business and how they must be used. Test your ability to handle the new rights EU citizens possess under GDPR – such as the right to be informed, the right of access, the right to erasure and the right to data portability.
Policies and processes will need revisiting and updating at regular intervals to keep pace with changing ways of working, as well as advances in technology.
Lack of encryption
Almost a quarter (22 per cent) of respondents were concerned they may fail to comply with GDPR due to a lack of encryption. Article 32 of the GDPR requires the pseudonymisation and encryption of personal data, and the largest fines can be mitigated if the breached company can provide evidence that the data at risk was fully encrypted. All PII should be encrypted – both at rest and in transit.
Three in ten (30 per cent) companies said they were worried they could fall foul of GDPR due to mobile working. The risk can be managed by investing in tools that will make security processes easier to follow, and which ‘lock down’ data when it’s taken outside of enterprise networks. This should include the mandated and enforced use of corporate-standard encrypted removable storage devices.
Gaps in employee training
Almost four in ten companies believed they were most likely to fail to comply with GDPR because of gaps in employee training, and almost a quarter (23 per cent) said their employees didn’t understand the new responsibilities that come with GDPR.
By now, all employees should have an understanding of the importance of GDPR and their role in keeping personal data safe, and most organisations will have provided some form of training. Any gaps that persist need to be pinpointed and addressed urgently, with training days and documented policies, to ensure that every employee at every level is a responsible information owner. As well as the rules they must follow, this requires an awareness of the value of the data they handle, the specific risks inherent in the work they do, and the consequences of failing to adhere to the GDPR framework.
Again, this is not a one-off task. People forget, and workforces change – so refresher training will be necessary to keep employees on track, and data protection should be included as part of induction programmes. Employee training must also be regularly reviewed to align with any changes in the GDPR framework, as well as the specific risks that apply to the business.
The necessity for someone to take ownership of proactively understanding, controlling and securing PII will have become starkly apparent to some companies. Those struggling with this could consider appointing a data protection or compliance officer. This is mandatory for companies of a certain size under Article 37 of GDPR, but smaller organisations handling a high volume of personal records may also find it invaluable to create a role that is expressly responsible for data mapping, implementing security policy and strategy alongside the IT team, and any reporting obligations.
Becoming savvy with GDPR rights
The more time that passes after the GDPR ‘finish line’, the more savvy individuals will become about their rights. Taking increasing ownership of their data, they’ll assume companies are doing everything GDPR mandates with the information they share. Companies will be held to account by consumers, as well as by regulators.
A substantial proportion of organisations recognise that meeting those expectations brings benefits: 44 per cent of respondents to the Apricorn survey agreed that GDPR was a welcome opportunity to overhaul data handling and security processes. The challenge now is to identify and fix any gaps in compliance, and ensure that best practice remains a priority.
There is no quick fix or magic pill. It’s a case of understanding where the biggest risks and gaps lie, then addressing those immediately through practical action.
Jon Fielding, managing director EMEA, Apricorn
Image source: Shutterstock/Wright Studio