Emmanuel Marshall 03 July 2018 09:50:06 AEST 6 MIN READ

GDPR: data security is the responsibility of companies


GDPR - the
EU General Data Protection Regulation - is now in effect. The regulations are designed to protect the data privacy of EU residents, but because the rules affect any company handling EU data, the true influence of the GDPR is international in scope.

The ready availability of cheap data storage has created a situation where companies can store every bit of information they ever handle; in fact, stockpiling data has become a business strategy for some companies.  But that data-hoarding has led to a serious liability issue for a lot of organisations that are now confronting the cold hard realities of the EU GDPR.

If a company has terabytes of random files squirrelled away in server farms or cloud storage facilities, they’re now facing the task of figuring out what those files could cost them if they are compromised and the GDPR enforcement authorities penalise them.

Data storage breaches are not the only an issue for businesses managing their GDPR responsibilities; any information handled by a company can be regarded as “data” under GDPR; audio and video files; contact lists; text messages and email; anything that “allows the identification of a natural person.”

The GDPR guidelines state;

“personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing.

“You must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.

“You must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.”

 

What does GDPR mean for companies?


With such far-reaching powers over company’s ability to manage their data storage, GDPR is a powerful incentive for organisations to do a better job of protecting themselves from breaches. The best way to ensure they don’t fall afoul of GDPR is for companies to implement rigorous cybersecurity measures and keep the data they handle safe.

“The principle of accountability is a cornerstone of the GDPR,” according to the official GDPR website.

On the website, there are detailed guidelines for companies about how to meet their GDPR responsibilities, but the central tenant of the regulation is the idea that responsibility for data security lies with organisations that hold that data.

The GDPR guidelines state:

“A business is responsible for complying with all data protection principles and is also responsible for demonstrating compliance... While your company/organisation still has to respect and comply with the GDPR, adherence to such (compliance) instruments might be taken into consideration in the case of an enforcement measure against you for a breach of the GDPR.”

The penalties specified in GDPR are substantial; 20 million Euro or 4% of a company’s annual revenue, whichever is higher.
GDPR also gives authority to SAs to prevent a business they are investigating from processing data. The objective of these powers is to give EU authorities tools to sanction organisations that might not be influenced by the threat of fines. The reality is that a ban on data processing could virtually shut down most companies, so the clause is a massive incentive to stay out of the GDPR black books.

 

Actions to avoid GDPR penalties


gdpr-judgementMaking your company as resistant to GDPR penalties as possible hinges on instituting comprehensive and effective security policy to safeguard your data.

Basic preparation for the GDPR can be summarised in 3 steps:

  • Data audit
  • Risk assessment
  • Cybersecurity implementation

 

Data audit

The first step toward cybersecurity risk management is knowing what data your company is collecting and how it is stored. A comprehensive data audit is fundamental because you’ll need to discover what information your company handles that could create liability under the GDPR. The GDPR is very inclusive in its scope, so a data audit should look at all platforms, device types and departments.

 
Risk assessment

Once you've done a data audit to establish a clear picture of how your company’s data management works, you’ll be in a position to make a risk assessment:

  • What cyber-threats could your company face?
  • Where are the security weak-points in your technology infrastructure?
  • Do you have effective cybersecurity measures in place?

 

Cybersecurity implementation

  • Use strong passwords and 2-factor authentication
  • Provide cybersecurity education to your staff
  • Get professional advice on how to strengthen your company’s security
  • Implement local and cloud-based cybersecurity protection

 

Future Proof whitepaper thumbnailLearn more about GDPR


As a leader in cybersecurity and data protection, MailGuard applauds the introduction of the GDPR as an essential contribution to global cybersecurity.

To get ahead of the curve on GDPR compliance download our easy-to-read info-pack to help you understand the implications of GDPR for your business. Get it for free, here.