There is no doubting the fact that awareness of information security issues has now hit the mainstream. Even before the recent spate of ransomware attacks, the so-called WannaCry attack, discussion of cybersecurity matters in the media and elsewhere had reached widespread prominence. One of the primary drivers of this renewed focus on information security is the impending General Data Protection Regulation (GDPR), which is set to come into force in a year’s time, on 25 May 2018.
GDPR is designed to replace the 1995 Data Protection Directive and will aim to provide people with the same data protection rights across the EU, regardless of where their data is processed. The legislation will have far-reaching effects on any organisation whose business involves processing personal data.
As well as this, failure to demonstrate compliance will lead to companies facing severe sanctions in the event of a data breach, in the form of fines of up to €20 million or 4% of global turnover, depending on which is greater. Liability to fines of this scale could threaten an organisation’s ability to continue trading, meaning that it is in organisations’ own interest to act now to achieve compliance.
Does GDPR apply to me?
The extent of potential fines for failing to comply with GDPR has generated significant media attention, and is sure to be something that will need to be addressed by companies tendering for projects and other work. While budget constraints may, in the past, have caused organisations to take a lax approach to information security, the scale of GDPR fines means that this will no longer be the case.
On the contrary, the significance of GDPR and its proposed impact means that it will set the tone for the majority of conversations about cybersecurity between now and the time the legislation comes into force in May 2018.
GDPR applies to any organisation whose business involves processing personal data. The results of a recent survey carried out by Ward Solutions in association with TechPro magazine illustrated just how broad the scope of GDPR is by highlighting the percentage of companies that will be affected by the impending legislation. Some 74% of those surveyed stated that their organisation processes the personal data of Irish and/or European residents.
However,
Ward Solutions’ experience indicates that this number is actually higher again and that this response may indicate a blind spot within many businesses when it comes to what they consider personal data to be.
Most organisations only consider data they collect or process from marketing prospects or third parties as being within the scope of data-protection regulation. However, virtually every Irish organisation possesses personal data about its employees and customers, making them directly liable to GDPR.
Another of Ward’s key findings this year was that many Irish organisations have underestimated the scale of the challenge and the work involved in achieving GDPR compliance. As the final deadline is the same for all businesses, by the time many realise the scale of the challenge they will be forced to seek assistance from a limited pool of knowledgeable external resources.
For this reason, achieving compliance in time will end up costing a lot more than they bargained for, both financially and in terms of time spent. Companies that act now to achieve compliance will insulate themselves from potentially insurmountable fines while their competitors scramble to comply.
Steps towards compliance
When it comes to preparing for GDPR, the first thing that any organisation should do is establish its position on the compliancy ladder. This can be done by asking a number of key questions about GDPR, and can help to provide an accurate estimation of the business’s readiness for GDPR as well as how much work remains to be done.
GDPR will ultimately aim to boost control and transparency when it comes to the processing of personal data, ensure consistent application and enforcement of associated guidelines, and boost the digital economy of the EU. To comply with these objectives, organisations must ensure that they are aware of where data in their control is stored and that they have a crisis management plan ready to roll out in the event of a potential data breach.
Companies should start their GDPR preparations by compiling a comprehensive inventory of personal data in their possession. This will enable organisations to establish exactly what type of data they process in the normal course of their business and eliminate blind spots related to storage of this data. Building a data inventory will also help businesses to ascertain why they have personal data.
As part of this process, companies must determine how and where this personal data is stored and processed, how it flows and is protected and whether or not their processing of the data is compliant.
Following the creation of the personal data inventory, organisations need to conduct a gap analysis to identify any disparities between their practices and the requirements laid-out under GDPR. This process will enable organisations to identify the precise actions that need to be taken in order to achieve GDPR compliance, which will in turn feed into the creation of a Data Protection Programme – a structured information security programme specifically designed to help organisations become and remain compliant with GDPR.
GDPR is a complex piece of legislation that will impose onerous requirements on organisations to re-evaluate how they process and store personal data in their possession. To offer advice to companies looking to achieve compliance, Ward Solutions will run a seminar on 9 June in the
Royal College of Physicians in Ireland, Kildare Street, Dublin 2 to outline the practical steps that companies must take to meet the terms of the impending legislation.
The seminar follows Ward’s booked-out February event, which aimed to raise awareness of the implications of GDPR. It is open to professionals who are eager to identify the specific actions that they need to take over the course of the next 12 months.
Ward Solutions’ GDPR event
At the event, industry experts from Ward Solutions and
Fortinet will advise attendees on how to prioritise their information security and compliance activities to develop strategies that can identify and mitigate the risks to personal data putting organisations at significant risk.
Attendees are also invited to submit questions which will be answered on the day. This will ensure that the genuine concerns of Irish business owners and professionals when it comes to GDPR are addressed, enabling them to leave the event more certain than ever before about the steps that they need to take next.
As well as this, all attendees will receive a copy of Ward Solutions’ 2017 Information Security Report which provides insights into Irish organisations’ approach to tackling rising threats, while highlighting the challenges of taking the initial steps towards GDPR compliance. Those who wish to register for the event
can do so here.
As the deadline for GDPR approaches, firms need to take their commitments to the preserving the security of personal data in their possession very seriously indeed. Working towards fulfilling the requirements outlined under GDPR sooner rather than later will allow companies to focus their efforts on adding value to their business, and compete for business for which the ability to demonstrate GDPR compliance is a prerequisite.