How to get ready for GDPR?
Information regarding the General Data Protection Regulations (GDPR) have been widely publicised in recent months. It applies to all businesses and whilst already in force, from May 2018 any non-compliant companies can be fined. If you’ve yet to explore how GDPR impacts on your operations, it’s time to take action.
In preparation for Brexit the UK has already drafted its own version of this EU legislation. This is primarily because it makes good business sense.
What is GDPR?
No one wants their personal and financial data to get into the wrong hands, but it has been all too easy for cyber criminals to get hold of this information. With cyber-crime on the rise, companies have to take on responsibility for effective data management. GDPR has been designed to ensure data protection is a priority.
In summary, GDPR states that every company is obliged to:
- Seek explicit consent before you collect and hold employees and client data
- Only collect necessary data from both employees and clients
- Put in place measures to encrypt and protect any data that you hold
- Remove data on request
- Be able to evidence that these requirements are being adhered to
What Action do I need to take to Comply with GDPR?
If you company already follows good practice models regarding data, then minor changes may be sufficient. If no heed has been paid to cyber security then it’s time to take action.
If you don’t think data protection is relevant to your SME, think again. In a recent report carried out by Zurich Insurance, 875,000 UK SMEs were the target of cyber security breach. This amounts to 16% of all UK SMEs. A fifth of affected SMEs stated the cost to the business was in excess of £10,000 (and that is before GDPR fines come into force).
Given that defences can be installed for less than this sum, compliance with GDPR is a case of ensuring you really have prepared for what statistically will, one day, happen to your business.
A good starting point is the Cyber Essentials scheme. This Government backed initiative aims to reduce the risks by up to 80%. It is a basic level good practice requirement that applies to any size business, from sole trader up.
Cyber Essentials involves completing a self-assessment questionnaire and an external vulnerability scan. The aim is to highlight areas of weakness, so you know where improvements are needed and then to address the issues before certification is awarded. It’s low cost, straight forward to complete and there really isn’t any excuse not to undertake this scheme.
A recommended enhanced alternative is Cyber Essentials Plus. This covers everything in the basic assessment, along with an internal scan and an on-site assessment. A more thorough approach is going to offer a better chance of reducing the risks and the potential costs to your business.
ISO 27001 Information Security
If your company collects a high volume of personal and financial data from employees and clients, ISO 27001 Information Security is advised. Be clear that this information is attractive and lucrative to individuals that have absolutely no concern for the impact it has on your business.
Think for a minute; what would happen to your company if some or all of the data you hold was stolen? Without the right systems in place, the chances of getting it all back are low. Could the business still operate? How are your customers likely to respond when you inform them that their credit card details, phone numbers, email and home addresses had been lost?
Your data may be frozen or blocked while a ransomware request is received. You may manage to get access by paying, or you may not… The damage to your business while your records are withheld could be more than any ransom you pay (especially if, despite paying, you don’t get them back, or they are corrupted in some way). The ISO 27001 standard enhances your defences against this sort of attack.
ISO 27001 Information Security certification involves auditing current systems and procedures, identifying risks and appropriate action, implementing change and regular review. In addition to cyber-attack, this quality standard will help to protect your business against physical damage of data (caused, for example by fire or flood), electronic damage and the accidental or malicious release of information.
Invest in Data Protection
Be assured that the time and cost implications of investing in Cyber Essentials, Cyber Essentials Plus or ISO 27001 will be far lower than those needed to recover from a cyber-attack.
In addition to the direct cost to your business, GDPR fines have been set at up to £17million or 4% of global turnover. If you want to insure against such risks, the insurance company will expect you to have robust systems in place; the systems that will be addressed by achieving ISO 27001 certification.
Training of your staff to be more aware of the risks of cyber attack is crucial and should be considered as a key component of any action you take. This need not be expensive nor take very long. It should apply to all staff, technical background or not, as cyber attacks usually start via a phishing event – to which anyone can be at risk. Over 80% of all cyber attacks took advantage of staff errors or misunderstandings – so the cost-benefit decision on awareness training is easy!
Qualitation is experienced in providing advice and practical support at every step of the process. Our expertise can ensure that the process of gaining certification is efficient and beneficial to your organisation. If you are ready to take action, get in touch We will help you to implement appropriate measures to protect your business, from training, through Cyber Essentials to ISO 27001 and beyond.