As the dust begins to settle on a post GDPR landscape, Dave O'Connell, managing director at Advantex, offers some advice for those still struggling to come to terms with the changes.
Despite undertaking measures to improve data security and privacy, 38% of global organisations responding to a recent survey by Harvey Nash and KPMG believed that they are not compliant with the new general data protection regulation (GDPR) requirements.
Indeed, the Federation of Small Businesses (FSB) raised concerns that many of the UK’s 5.7 million SMEs were unlikely to be fully GDPR-ready. This in turn has led to worries among business leaders and entrepreneurs, who want to know when, and how, they are likely to feel the consequences of noncompliance.
So, if you are one of those who didn’t hit the May deadline, or are perhaps worried that you might not have done enough to keep the Information Commissioner’s Office (ICO) off your back, there are a number of simple but effective measures that can be taken to provide some reassurances.
The two key areas to consider are proactive consent and the security of information and data. The former means that you have acquired full consent to use or store a person’s data, which can lead to their identity. You must disclose exactly what information you are collecting and how you intend to use this for future purposes.
While consent can be relatively easy – updating your privacy policy on your website and including a consent pop up might be all that’s required – the security of information and data is considered the hardest. With government figures suggesting that almost 46% of all UK businesses have been a subject of a cyber-attack, you could easily be a target for the hackers.
Where do you begin with data security? An initial step is to start with a discovery scanner. This will examine your external networks, identifying what is connected to your network and what needs to be considered for your data security plan.
Once you’ve taken steps to understanding what your external network consists of, running a penetration test (pen test) would be the next good move. This involves an ethical hacker, who will attempt to compromise your external network and see how far they can reach inside your network. They will then provide you with a comprehensive report of the security weaknesses. Your IT team (or partner) should then be able to spend their time plugging these gaps, bolstering your business and ensuring it’s more resilient to threats.
Quarterly vulnerability scans can then follow as part of a series of best practice initiatives in an effort to find any entrances through your external network. A vulnerability scanner is not as thorough as a pen test, but it will alert you to any changes in your network which might pose a threat. It should be noted that most hackers employ their own vulnerability scanner to identify ‘weak businesses’ before launching their attack.
Following these steps – along with new investment in staff training to equip them with the requisite skills, and ensuring that your technology is properly configured and office data is always secure – can significantly reduce the chances of a cyber breach. You will be able to rest easy knowing you have the proof that you’ve taken the appropriate steps to secure your customers’ and employees’ data, which is of prime importance to the ICO.
Advantex, with its experience, resources and highly skilled team, is working with organisations across the UK to ensure they are fully GDPR compliant. If you feel you could benefit from the experts, visit
http://www.advantex.uk.com