How GDPR and cyber security work together
On April 25th 2017, Computer Futures held an event to discuss GDPR and the effect this will have on businesses. We invited Kat Gibson, Senior Associate at DLA Piper, and Steve Lamb, Technical Director at Cipher, to join us and speak about EU GDPR and cyber security. Described as “a very informative session which was highly relevant” by a delegate and a “very clear summary and exposition” by another, the event was a success. In this article we look at why you need to have a GDPR plan in place that considers your cyber security measures too.
What GDPR means for you
Thanks to Kat’s background in employment law and data protection advice, she was able to look at GDPR from a legal perspective. As you may or may not know, the new regulations will come into place on 25th May 2018. They’re designed to ensure a level playing field as all companies, regardless of size, will need to follow the regulations or face financial consequences. Failure to comply will lead to either a fine of 4% of your annual turnover or up to €20million, whichever is greater. Currently, the maximum fine is €500,000.
Key GDPR takeaways:
- It’s designed to give your business a lead regulator – although each country may have their own set of rules regarding employment/employee data, EU GDPR provides a one-stop-shop for all other data.
- Data minimisation is key – only request the information you need in order for your business to operate.
- Consent must be given freely and explicitly – it’s not enough to assume they give it if they sign up for something. You need to let them know exactly what you’re going to do with their data. If you change the use, you need to re-notify each individual affected.
- Carry out a privacy risk assessment – look at where the risks are, how high each risk is, and what the solutions are.
- Data breaches need to be notified within 72 hours – failure to do this may result in a fine.
Why cyber security needs to be considered
GDPR has been developed to protect the privacy and sensitive data held by companies, so it makes sense that cyber security should factor into your plans. Larger organisations will already be familiar with data protection regulations to some degree, be that HIPAA, PCI, or SOX, however smaller ones may not. Now, there’s something in place that ensures any data breaches are met with damaging financial consequences.
Steve gave some great examples of why it’s important to do all you can to make sure your business doesn’t experience any data breaches. He explained that when Target and TalkTalk were breached, they saw their share prices drop because people lost confidence. Target, for example, also ended up paying out over $100 million as a result of the data hack; it’s breaches like this that make compliance a necessity.
The importance of knowing where your data is also became clearer as Steve spoke. After all, how you can protect something if you don’t know where it is? He also said it’s worth asking yourself if you’d miss all of your data if you no longer had it. If the answer is no, get rid of what you don’t need. This is similar to what Kat said about data minimisation.
And when you’ve purged your data..? Treat EU citizen data as if it was the crown jewels of your business. Privacy should be thought about from the second you start putting together your GDPR plan and should remain a focus throughout.
In doing this, you’re able to minimise the risk of a data breach by putting protection in place to make it harder for your data to be hacked. Of course, there’s no method of defence that’s impenetrable but you can still work to make it harder to breach. This will then not only ensure you only store information you need, but that you’re decreasing your chance of being fined for inadequate protection.
Computer Futures are here to help
James Spear, Senior Client Relationship Manager at Computer Futures, had this to say about the event: “We were very grateful for our two guest speakers and attendees. I think it reflects how important education around GDPR is as there are so many organisations who are still unsure how to approach it. As a business we’ve already made a number of changes, so from our perspective it’s really interesting to work with customers in an area that we are seeing the impact of 1st hand. There were some interesting discussion points from the blend of experience in the room and from the feedback we’ve had – it would seem that a lot of people took a lot away from the session and enjoyed building their network”.
If you’d like to hire some of the greatest cyber security professionals, Computer Futures can help. Simply contact us today and let us know more. And if you’re looking for a new opportunity in the industry, why not look at our list of available cyber security jobs?