In the months leading to an after the adoption of the General Data Protection Regulation (GDPR), which set out stringent data privacy regulations, a lot of the discussion centered around how much ensuring compliance was going to cost corporations. Criticisms of being a racket were leveled at lawmakers and with EU states being empowered to fine offenders €20 million or 4% of the company’s turnover many a harsh word was said. The law is a fact of life and EU companies or those who store data belonging to EU citizens need to comply. Compliance does come with the benefit of if done correctly it will harden the company’s IT infrastructure against potential data breaches.
According to the UK Government, 46% of organizations experienced a data breach. In the years since that number was released to the public other countries have reported similar numbers. This implies that data breaches are a reality experienced by nearly half of the globe’s organizations that report such events. How then does GDPR help prevent breaches from occurring?
The law outlines organizational responsibilities when handling the data of EU citizens. If it is found that the organization failed in this regard the fines leveled above can be handed out to the fundamentally non-complaint organization. This is a big stick that the EU can wield but by understanding the organization’s responsibility they are on their way to adopting best practices and being compliant. For more information regarding compliance please visit us at https://cipherpoint.com/solutions/gdpr-compliance/.
In looking to avoid a breach as well as the fines that may be leveled at the organization it is incredibly important to understand what data is being dealt with. This assists in improving compliance but to do this data must be separated into what constitutes personal information. Any data deemed personal information and more importantly personally identifiable information needs to be stored securely along with exact knowledge of where it is stored. Security policies need to be developed around this knowledge so that data records can be efficiently maintained. Organizations have found success in this regard by implementing data processing inventories to better manage data separation, storing, and securing the data.
Closely related to the understanding of the data handled by the organization is the policies adopted by the organization to protect the data. These policies need to account for the collection, storage, accessing, and deletion of the data in such a way that they remain GDPR compliant. Further, all policies also need to include procedures regarding the updating of software and the response to a potential breach. Security solutions can be a game-changer in this regard especially when cloud storage and work collaboration technologies have been adopted.
Educating staff as to their roles defined by GDPR is a compliance requirement. Employees need to understand that when processing personal data the employee needs to do so within the GDPR framework. Secondly, they are required to help identify potential issues that may result in a data breach. This does require the organization to conduct education and training opportunities for staff which does cost extra, however, they have the added benefit of creating a workforce that can detect security issues and act accordingly saving the company a PR nightmare and massive fine.
GDPR compliance is viewed by many rather negatively. Compliance costs money to avoid having to pay more money in the advent of a breach where the company was found to be non-compliant. However, as it is a current reality it can be seen as an opportunity to future proof the company against future cyber threats including the all too common data breach.