GDPR - the EU General Data Protection Regulation - is now in effect. The regulations are designed to protect the data privacy of EU residents, but because the rules affect any company handling EU data, their effect is actually international.
There’s a lot of information to digest for business people who are trying to figure out their new data management liabilities.
As cybersecurity vendors, customers look to us to explain where they stand under the new GDPR rules.
MailGuard wants to support our partner community by providing you with resources to help your customers understand the GDPR. For a summary of the GDPR’s impact on business and the next steps companies should take to handle their responsibilities, read on.
Data storage and security
The ready availability of cheap data storage has created a situation where companies can store every bit of information they ever handle; in fact, stockpiling data has become a business strategy for some companies. But that data-hoarding has led to a serious liability issue for a lot of organisations that are now confronting the cold hard realities of the EU GDPR.
If a company has terabytes of random files squirrelled away in server farms or cloud storage facilities, they’re now facing the task of figuring out what those files could cost them if they are compromised and the GDPR enforcement authorities penalise them.
Data storage breaches are not the only an issue for businesses managing their GDPR responsibilities; any information handled by a company can be regarded as “data” under GDPR; audio and video files; contact lists; text messages and email; anything that “allows the identification of a natural person.”
What does GDPR mean for companies?
The GDPR guidelines state;
- “Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing.”
- “You must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.”
- “You must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.”
With such far-reaching regulatory powers, GDPR is a powerful incentive for organisations to do a better job of protecting themselves from data breaches. The best way to ensure they don’t fall afoul of GDPR is for companies to implement rigorous cybersecurity measures and keep the data they handle safe.
“The principle of accountability is a cornerstone of the GDPR,” according to the official GDPR website.
On the website, there are detailed guidelines for companies about how to meet their GDPR responsibilities, but the central tenant of the regulation is the idea that responsibility for data security lies with organisations that hold that data.
Penalties under GDPR
The GDPR guidelines state:
“A business is responsible for complying with all data protection principles and is also responsible for demonstrating compliance... While your company/organisation still has to respect and comply with the GDPR, adherence to such (compliance) instruments might be taken into consideration in the case of an enforcement measure against you for a breach of the GDPR.”
The penalties specified in GDPR are substantial; 20 million Euro or 4% of a company’s annual revenue, whichever is higher.
GDPR also gives authority to SAs to prevent a business they are investigating from processing data. The objective of these powers is to give EU authorities tools to sanction organisations that might not be influenced by the threat of fines. The reality is that a ban on data processing could virtually shut down most companies, so the clause is a massive incentive to stay out of the GDPR black books.
Actions to avoid GDPR penalties
Making a company resistant against GDPR penalties hinges on instituting comprehensive and effective security policies to safeguard data.
Basic preparation for the GDPR can be summarised in 3 steps:
- Data audit
- Risk assessment
- Security implementation
The first step toward cybersecurity risk management is knowing what data a company is collecting and how it is stored. A comprehensive data audit is fundamental because companies need to discover what information they handle that could create liability. The GDPR is very inclusive in its scope, so a data audit should look at all platforms, device types and departments.
Once a data audit has been done the next step is to conduct a risk assessment which examines:
- What cyber-threats a company faces.
- The security weak-points in the technology infrastructure.
- The effectiveness or otherwise of current cybersecurity measures.
Key recommendations for strengthening data security include:
- Using strong passwords and 2-factor authentication
- Providing cybersecurity training to team members
- Getting professional advice on strengthening cybersecurity
- Implementing local and cloud-based cybersecurity protection
Learn more about GDPR
As a leader in cybersecurity, MailGuard applauds the introduction of the GDPR as an essential contribution to global data regulation.
To help your customers get ahead of the curve on data security MailGuard has created an easy-to-read info-pack explaining the implications of GDPR for businesses.
The free GDPR info-pack is available for download, here.