WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is scheduled to come into effect on 25th May 2018. However many businesses, small and large, are not fully prepared for the changes they will have to make to meet compliance. A study by Alert Logic found that out of 200 EU companies only 5% would be fully compliant before the regulation goes into effect.
So what exactly is the GDPR? This new regulation was adopted by the European Government in 2016 to replace the outdated 1998 Data Protection Act. The aim is to modernise data handling processes, changing both the way we think about personal data and what we can do with it. The regulation will apply to any company that records personal information within the EU and/or records the personal information of EU residents. The main purpose of the GDPR is to protect the personally identifiable information (PII) that companies hold on individuals as well as giving control back to individuals over their own data.
CONSEQUENCES OF NON-COMPLIANCE
2017 marked a stark increase in both the level and sophistication of cyber security threat vectors businesses now need to contend with. The type of information most sought after includes names, addresses and banking details which is valuable to hackers as they can use it for identity theft and blackmail. However as technology advances we are seeing hacks made possible by as little information as an IMEI number. This presents a serious threat to personal data sitting on company devices and mandates that companies rethink the security of the information they hold. Factoring in the trend towards BYOD (Bring Your Own Device), we are seeing company data being moved to personal devices which IT departments have no control over. This is a significant challenge that should not be overlooked when considering GDPR compliance.
The GDPR outlines that companies must appoint a Data Protection Officer (DPO) as well as data controllers and processors who will determine what information is retained along with why and how it is stored. A company can be audited at any time to check compliance or query a data breach, if evidence of this is found a huge administrative fine can be imposed. The first tier of fine is a maximum of the greater of 10 million EUR or 2% of their annual global turnover, this will apply particularly if a company fails to report a data breach within 48 hours. However if a company is found in breach of compliance, this fine could escalate to €20million or 4% of global turnover. Governing agencies have made it clear that they will monitor small and large businesses without prejudice, giving weight to the responsibility every business has to protect personal data.
HOW TO COMPLY
As technology evolves we are seeing the working culture shift massively towards an ‘always-on’, ever connected environment. As such many companies have adopted a BYOD policy to increase the efficiency and flexibility of their employees, while saving costs on buying large amounts of equipment. Although there are many benefits to this trend it does pose serious security risks, as employees can have access to sensitive customer or business information on their personal devices. This information is susceptible to attack when a device is connected to an unsecured Wi-Fi network or does not have up to date anti-virus software. These devices also expose the internal network to significant threat vectors, while rarely being monitored by the IT department. Meaning sensitive data, company information, and even the integrity of your network could be compromised by one user who unwittingly uses a vulnerable device. There is also the risk of employees leaving a company before their device is wiped of sensitive data or if their device is lost or stolen. In terms of preparing for the GDPR it is imperative that this data be organised and protected to minimise the chance of a breach.
A popular solution to remedy or avoid these risks is to roll out an Enterprise Mobility Management (EMM) software on devices that hold sensitive data. An EMM software enables the IT team to secure data, control who has access to it and set protocols and guidelines that ensure devices are less vulnerable. This can be administered over the cloud which relieves individuals of having to perform tasks they do not understand and eliminates the dependence on them to make sure data is properly secured. With the GDPR fast approaching an EMM software could be the solution to safeguarding information on mobile devices while still maintaining the same level of flexibility.