What is the GDPR & how can your company prepare for it?

Tytuł obrazka

Companies have just over two years to review their policies and ensure they are proactive and compliant with cyber security before the General Data Protection Regulation (GDPR) becomes a legal legislation. This was a recent topic of discussion at the Cyber Security Seminars held by Robert Walters across the UK. 

So what exactly is the GDPR? And how can your company prepare for it?


GDPR is a regulation

"[The first thing to understand is that the GDPR] is a regulation and it is replacing a directive. You won't get slapped for a directive, but you will for a regulation," said Andrew Hague - Managing Director, Secarma.

This means the FCA has more power to fine companies who are not diligent with their cyber security, and the fines can be larger. Under the directive, TalkTalk expected a fine of just £500k after their recent security breach, however if the breach occurred when the GDPR was in place the FCA would have had the power to fine them £36.5 million.

For the first time companies are beginning to panic about the prospect of receiving a significant material fine. GDPR will become a legal requirement in 2018. Learn more about the GDPR here

Preparation is key

For many companies ensuring compliance once the regulation has gone into effect will be too little too late. Proactive preparation is key to ensuring you are not fined under the GDPR. 

Companies need to thoroughly review their internal processes to help pre-empt what needs to be fixed. Panellists in Manchester highlighted that this could mean having a data protection officer in place with the skills to complete a privacy impact assessment against all the personal data a company holds. Companies need to understand the implications across every single contract they have with any third party or supplier that are provided access to personal information.

In order to comply with the regulations, companies need to know what type of data they have, where it is going and what sort of controls they have on it.

Information is key for employees

The first step towards preparing a company for GDPR, is making all employees aware of the implications of a cyber security attack - so they are more proactive about security. many employees think cyber security falls completely under their IT departments remit. But it doesnt.

Everything an employee does on a daily basis contributes in some way to a breach that could occur in your company if they do not deliver the basic principles and policies. Whether it is compliance or anything else, it comes down to the individuals that build the foundations of your company. Everything starts with standing back and looking at all company and employee policies. 

For many companies ensuring compliance once the regulation has gone into effect will be too little too late. Proactive preparation is key to ensuring you are not fined under the GDPR.

For instance, what you are doing from a HR perspective? How many of your employees join the company and receive the company policy on the first day when they are handed a mobile or laptop. It is vital that a company considers the basic policies about their staff and how the company allows it's staff to operate on a daily basis.

Many companies need to start by going back to the basics, the core, go back to HR and the ways in which your staff work. 

Update company system designs and controls

A lot comes down to basic design principles, many organisations simply do not understand where the data is going or even what data they have. Many try to rush technology to the market and do not put basic design principles in and around securing or segmenting the data and therefore allow breaches. Some breaches may benefit the user, but others allow cyber criminals to enter a system.

All the systems we have are there to make your life easier and  have been designed and created with particular vulnerabilities to help people manage their IT. For example - email : If you start to type someone’s email address into your email box and you have auto-completion established, it gives you a list of names in front of you. This is a breach.

To be prepared for the GDPR you need to update your company system designs and controls so information is kept segmented and secure. 

"Take the analogy of a bank, you don't design a bank and put all the cash in one place. [You] vault the money and sandbox it away into individual safety deposit boxes. In a cyber world we shouldn't put all the data on the server then worry about the consequences later," said Andrew Avanessian - Vice President, Avecto.

"[Overall] know your business. Know what information you have to protect and then do something about it," said Adrian Holloway - Information Security Officer, SSC.

Read more information on cyber security and to the other topics discussed at the seminars here.

Contact us for more information about future technology seminars, or to have a confidential discussion about any of your recruitment needs please contact:

Midlands:

Dawn May
Manager
0121 260 2520 
dawn.may@robertwalters.com

North:

Wayne Bennett
Manager
0161 214 7421
wayne.bennett@robertwalters.com

Career advice