When people are asked about what the GDPR is, I often hear them respond that it’s a privacy law. Rightfully so, most of the coverage, commentary and advice related to the GDPR, which comes into effect in May 2018, leads with the word “privacy”. But what many seem to be missing (or ignoring) is that while the new legislation might incorporate end-to-end data protection, which certainly includes privacy, it also covers security.
Making sure that the data an organisation collects and processes is secure is something that’s been carefully built into the new law, and as a result, it’s a requirement companies should pay close attention to. This means taking steps to control who has access to data, both inside and outside of the company. These steps should include a means of testing your systems to determine that security processes that are in place are effective and not easily bypassed by hackers, cyber criminals or other parties who might be able to access the information.
Specialists can be utilised to run so-called ‘penetration tests’ on your network to identify where it might be vulnerable, so they can be addressed before any person or system takes advantage of them. Regularly updating software with patches is important, as is training people to understand how to follow security processes designed to protect them and your network. These basic steps are a good start and lay the groundwork for a sound security policy. Creating a ‘Technical Organisational Measures’ document is an effective way to capture different ways in which your systems have been secured. This document can be used to help improve or strengthen agreements and reassure customers that you’ve taken steps to address security.
While companies usually do not plan for a data breach, it is something every business should prepare for. The GDPR includes specific notification and follow-up rules for companies that discover a breach. So while it’s important to put stand up systems to prevent them, it’s also a good idea to put together a plan for how the business will react should one occur. Conducting exercises with the employees who have roles in reacting to a data breach is an effective way to make sure everyone is comfortable with their responsibilities and understands what to do in the event of a breach. That way, you’re not dusting off that process binder for the first time and paging through the steps during a potentially stressful and time sensitive situation.
Establishing a security plan, testing what you have in place, training your team and making sure you have a breach response are important steps for companies that need to comply with the GDPR. If you process personal data about EU residents you should take time to put all of the above in place.