Panic. Confusion. Companies bombarded with hype and opinion.
There are some of us old enough to remember all the warnings of doom and gloom if you were not ready. System meltdown and businesses going to the wall.
The build up to GDPR was rather like Y2K.
The many GDPR emails with warnings we received earlier this year were remarkably similar. Threats of huge fines and loss of customer confidence loomed large for organisations not being ‘GDPR ready’.
So much hype and confusion.
As the 25th May 2018 deadline has now passed, what has happened to those companies that still have not identified and protected all personal data?
Not a great deal.
The reality is that large and small companies are still working towards GDPR. Trying to understand where personal data is held. Understanding why it is processed and stored.
Controlling who has access.
Keeping Personal Data Safe.
Of course, GDPR is about making sure companies hold only the personal data that they need. That ordinary members of the public can question what information a company holds on them. All this needs to be carefully controlled.
However, companies should focus on protecting the personal data that is processed and stored.
Networks that store personal data need to be secure. Not just from the public Internet, but from internal groups. You do not want sales and marketing teams being able to view employee details on the HR network. Conversely, you do not want the HR team viewing sales account information.
How internal networks are configured is incredibly important to remain on the right side of GDPR.
After all, how personal data is handled often only comes into question when networks are breached, and data exposed.
The Road Ahead.
We are now entering a new phase of GDPR. All the hype leading to the May deadline has been and gone. As such, organisations now need to knuckle down and keep personal data safe as part of normal working practice.
In the UK, GDPR is overseen by the Information Commissioner’s Office – or ICO.
The ICO has issued guidance on how companies can get and stay secure. There is not currently a GDPR compliance standard per se. However, there are recommended standards that can be adopted.
Two recognised standards available are ISO 27001 and Cyber Essentials. Most organisations will have heard of these standards. Indeed, many may already comply. They have requirements such as protecting networks, working practices and staff.
For fear of standards fatigue, we won’t discuss the detail here. That said, each has several high-level disciplines that are very useful for GDPR.
Some GDPR Basics.
Make sure you know where your Personal Data is. You can start by finding the networks that hold and process data. Document this as it forms the scope of your GDPR network. It tells you what you need to keep secure.
Remove what is not needed. Any data not required – delete it. It will reduce risk and will reduce your GDPR compliance burden.
Lock access down. Not just from the Internet. Internal networks should be secure. This is often called segmentation. It controls access to networks and data. This is important if you do not want everyone viewing confidential employee records.
Get staff working securely. Just the simple stuff. Keeping desks clean, secure destruction of data, using name badges, accompanying visitors, being aware of phishing emails and online fraud attempts. Get staff educated in these simple tasks. It will pay dividends.
Test. Make sure that you test your network and people for resilience. Awareness training for staff. Penetration testing and vulnerability testing for networks. These tasks support best practice standards for ISO 27001 anyway – so you should be doing them periodically. Remember to ‘follow the data’. See more here… https://ambersail.com/wp-content/uploads/2018/03/Get-The-Most-From-GDPR-Penetration-Testing.pdf.
Repeat. Keep going. Revisiting GDPR basics. Refining and strengthening controls.
If you feel overwhelmed by GDPR, you are most definitely not alone. Remember that GDPR is there to protect personal data. Focus on this and where it is stored or processed and you go a long way to meeting GDPR.
GDPR Basics – Some Useful Links.
Cyber Essentials: https://cyberessentials.ncsc.gov.uk
Staff Training: https://www.ambersail.com/gdpr-training/
GDPR Penetration Testing: https://ambersail.com/gdpr-penetration-test/