Ready For The New Rules On Data?

Andy Hunter, Technical Director at technology solutions experts ITPS, takes a look at why businesses need to prepare now for the new data protection laws that come into force in 2018.

In 2018 the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR). As well as extending the scope of the DPA it involves much stiffer penalties for those who do not comply with new rules around the storage and handling of personal data.Fines could be £18m or 4 percent of global turnover, whichever is highest. So what do the changes cover? You can read the full detail on the Information Commissioner’s Office, but some of the key changes are:

The definition of data will be wider, for instance it will also cover children’s data, and an online identifier such as an IP address could be classified as personal data

The rules for obtaining consent have been changed, and an audit trail must be maintained

Data protection impact assessments will become mandatory, as will the appointment of a data protection officer for certain types of organisation

Notification of data breaches will be mandatory

People have the right for their data to be forgotten.

The new rules will have a big impact on how organisations gather and process data, and while May 2018 is not far away, a recent YouGov poll of 2000 businesses showed that 71 percent were not aware of the new penalties. Around 38 percent were aware of the new rules, but only 29 percent had started preparing for them. While the Information Commissioner’s Office has published a useful guide to steps that you can take now, our advice is to take a step back and start by undertaking a comprehensive review of your ICT security as a whole. Nearly half of all crime now has an element of cyberenablement so it makes sense to take all necessary steps to protect yourself against security breaches arising in the first place. If you start by looking at data security in isolation it would be like baling water out of the basement of your house, without first fixing the hole in the roof where the rain is coming in. Even the smallest of businesses typically has a website and uses smartphones, tablets and laptops. Balancing opportunity with accommodating your people’s need to have ‘anywhere, anytime and from any device’ access, while staying on the right side of the GDPR will be a delicate balancing act. Unless you have an in-house team of security experts, the wisest move is to bring in some help to create and deploy the right solution for your organisation. Make sure you appoint partners who are experts in topics such as external security, data leakage, email encryption and archiving, spam and antivirus, and have a track record in successful implementation and support.

Some basic principles to consider include: Backup: if you do not backup your data securely, and hold it off site or split between on and off-site, there is a high probability that one day you could lose it. Control: do you know where your data is stored and how it is accessed? Data centre models, with multi-layered monitoring and security, are supersafe, and cost effective even for small businesses. Cloud services: lowered costs and bespoke models can make it easy to create a secure, part-public and part-private cloud in which to keep your data safe and accessible. Policies: create and monitor staff policies, particularly those around updating both company and personal mobile devices that staff use to connect to your network. Use the available tools and keep up to date: even the smallest businesses should have a firewall, antivirus software and email spam filters in place. Data protection and security is a wide-ranging topic that cannot be comprehensively covered in a short article such as this one, but if you want to find out more about protecting your business, get in touch with our experts, come to one of our regular technology briefings or sign up for our monthly newsletter.