This month it will be six months since the EU’s General Data Protection Regulation, better known as the GDPR, came into force in the UK. Cybersecurity expert Dr Debbie Garside explains what Welsh businesses need to know about the GDPR and why they must not take it for granted.
Six months ago the GDPR came into force, ushering in a new, stricter era of data protection intended to give individuals greater control over how their personal data is collected, stored and used.
The introduction of the GDPR on May 25 received large amounts of publicity, much of which focused on the huge fines that could be levied against businesses and organisations found to be in breach of the regulation – up to €20 million (£17.4 million) or 4% of turnover, whichever is greater.
Initially announced by the European Union in 2016, businesses and organisations had two years to prepare themselves for implementation.
Regardless of the outcome of Brexit, the UK Government confirmed that the GDPR would apply in the UK as its rules would be incorporated into a new Data Protection Act. In any case, the regulation would apply to any international companies with EU citizens as customers, which would affect many UK businesses.
Businesses and organisations were told to get ‘GDPR ready’ by strengthening their data collection, storage and dissemination processes. A plethora of seminars, conferences and workshops took place across the country to help people prepare for this new data regime.
But after this initial flurry of activity you could be forgiven for thinking that all has gone quiet on the GDPR front. I am concerned that people have stopped taking it seriously. The very fact you hear about serious data breaches seemingly every week shows businesses and organisations still don’t have the right data protection policies, procedures and technologies in place.
Recently there have been warnings that UK businesses are not adhering to the GDPR. A survey by IT provider Probrand found many UK businesses are risking fines because of poor practice. The survey of more than 1,000 workers in full or part-time employment found the majority of businesses (68 per cent) failed to wipe data from IT equipment they disposed of in the two months following GDPR.
In terms of regulatory action, we’ve yet to see any significant sanctions or fines for breaches of the GDPR, but it is surely only a matter of time. Without a doubt we will see businesses and organisations being made an example of before long. Everyone in the cybersecurity sector is waiting to see who’s going to be first.
The European Data Protection Supervisor Giovanni Buttarelli told Reuters he expected the first GDPR sanctions, including fines, ultimatums and even bans, “by the end of the year”.
One aspect of the GDPR people might not be aware of is the right for an individual to make a Subject Access Request (SAR) to a business or organisation to determine if they holding any information about them.
These requests can place an excessive burden on businesses or organisations to quickly identify, collate, redact information and then respond within the limited time period of 20 days.
To be able to carry out these requests, an organisation must first understand what data it holds and exactly where that data resides. You need to ask: What are you searching for? Where will you search for it? How will you find the data and respond to it? Imagine if you have 100 laptops and PCs, that soon becomes a significant task with a potentially huge cost in terms of resource and finance.
The GDPR also highlights the need to use technology solutions to assist with compliance. Whereas these used to be expensive and unwieldy, affordable next generation technology solutions aimed at all sizes of business are now available, and organisations run the risk of hefty fines if they do not implement them.
Six months on from the biggest shakeup of data protection regulation in a generation, it’s clear that not enough businesses and organisations are truly ‘GDPR ready’. The policies, procedures and technologies are just not in place to be fully compliant.
No matter what size business you operate, the GDPR has to be on your radar. More than that, it has to be written into your policies and procedures and considered in every business transaction and process.
The GDPR can’t be viewed as “someone else’s responsibility”, or as the exclusive preserve of the IT department, it has to be ingrained in the mind of every employee from the top down. The financial and reputational damage your business could face for a breach of the GDPR is too great to risk ignoring the regulation. Employee training is a must.
It might have been a quiet first six months for the GDPR but I guarantee that before long we will be hearing much more from the ICO and the EU, who will no doubt be looking to make an example of a business or organisation that is flouting the new rules.
So, my message is simple – if you haven’t already done so, put making your business GDPR-compliant at the top of your to-do list. And even if you think you already are complying, make sure you keep on top of it and don’t get complacent – the risks to your business are too high.
Debbie Garside is a cybersecurity expert and founder and CEO of Cardiff-based GeoLang, an award-winning software development company specialising in enterprise security and digital resilience – part of the Shearwater Group.
As originally published in Western Mail.