The countdown has started for North East businesses who have 12 months to prepare for new legislation that will significantly affect the way they manage information, says Karen Nelson, Managing Director at Calibre Secured Networks.
The General Data Protection Regulation (GDPR) comes into force from May 2018 and will signal a change in the way SMEs manage and look after a whole range of data and information. Also coming into effect simultaneously will be the Network and Information Security Directive (NSID), also known as the Cyber Security Directive.
So what is happening and how will companies be affected? And, importantly, what can they do about it in the coming months to get ready? In simple terms, GDPR is a new data protection regulation that will strengthen and unify the safety and security of the information held by an organisation. Its set to replace the Data Protection Act, making radical changes to many existing data protection rules and regulations that firms currently observe.
Failure to comply could see eye-watering fines of up to £20 million (or 4% of turnover, whichever is greater) for both the data controller and anyone else involved in the chain such as those with responsibility for data shredding and disposable.
This regulation coupled with Cyber Security Directive, will see a further requirement for compliance for all the UK businesses, forcing them to adapt, or even adopt new approaches to the way they tackle both data and cyber security issues.
Although it remains to be seen exactly how the new legislation will pan out and its impact on the regionÕs SME population, there are a few things that we already know will be certain. Data breaches will have to be reported if possible within 72 hours while the definition of personal data will be extended to cover location, IP address as well as medical information.
It will also be incumbent upon business owners and managers to make sure that personal data is reasonably protected and an individualÕs privacy protected. The Cyber Security Directive will require providers of ÔcriticalÕ digital services such as energy and banking to instigate Ôappropriate security measuresÕ relating to the detection and reporting of search engine and cloud computing breaches.
It is essential SME owners and managers start planning their approach to compliance sooner rather than later, and that all those involved are not only made aware of but also understand, the changes and embrace them – it may involve implementing new procedures to deal with greater transparency and individualsÕ rights provisions with wider budgetary, IT, personnel, governance and communications implications.
One way forward is to find a suitable partner who can help you manage all of that in a safe, secure and compliant way. There are a plethora of IT partners out there who can help and hold relevant accreditations such as ISO 27001 but when drawing up a shortlist consider factors beyond paper credentials and accreditations Ð experience in these matters always counts.
ItÕs also important any supplier that works with you can plan for growth and change, as itÕs easy to forget that extra staff places increased demand on IT resources and capabilities. A good IT supplier should be able to help predict how your needs will change in line with your strategy.
There can be little doubt that the advent of GDPR and the Cyber Security Directive will have an impact and the clock is now ticking when it comes to action. SMEs need to be thinking about how it will impact on them before itÕs too late and find the resources that will help them leverage the technologies so that theyÕre ready for a new dawn in May 2018.