The end of 2017 is fast approaching. 2018 is set to be a fresh start for many, bringing with it new ideas and opportunities to make this world a more secure and safe place. It also marks the implementation of GDPR, which is set to revolutionise the way our data is stored and protected. Failure to do so means that severe fines will be imposed. While many large organisations might just survive the financial costs if they were caught with their security pants down, the same can’t be said for small enterprises.
According to the latest survey by the Close Brothers, only one in four SMEs have prepared for the General Data Protection Regulation (GDPR), with just only one in three being aware of GDPR’s implications.
For those that are not ‘aware’ and not ‘prepared’, then perhaps the potential of being fined up to €20m or 4% of their annual global turnover will get their attention. This amount could potentially bankrupt many SME’s, so with the GDPR implementation date around the corner, the time to act is now.
The Issues
Gerald Beuchelt, chief information security officer at LogMeIn, believes small businesses have as much at stake as any organisation when it comes to GDPR. “Smaller businesses with lower turnovers are likely to feel the negative effects of non-compliance hard than larger organisations. Non-compliance can also result in court orders which will forcibly change how a company does business, and can also impact where it really hurts – in consumer confidence.”
Many organisations would be conscious of reputational damage caused should a company be found non-compliant. However, there is a common challenge that many SME’s face as Helen Daveport, director at Gowling WLG alludes to, and that is that they “do not have the access to advice and resources to dedicate to compliance compared to larger organisations.”
To some however, the term ‘size doesn’t matter’ comes to mind when discussing GDPR preparedness. David Fathers, regional general manager at Crown Records Management states “size is not the sole defining factor” and instead “it is the volume and sensitivity of the data being processed that matters.” Many organisations still hold data in paper format instead of digital form, which can prove to be a complication for some companies. Fathers continues, “for those thousands of boxes in storage it really is time to decide what is in them and what needs to be kept. In some cases, it may be better to destroy boxes which hold out-of-date data – data which no longer must be kept by law – than to keep them ‘just in case’ they are useful in future. In reality, it may prove costlier to keep data which is hard to locate and edit – and open up businesses to the possibility of future fines.”
Steps forward
For organisations scrambling and searching for which steps need to be taken first, there are a few specific things that can be done right away. A starting point would be to carry out a comprehensive data audit to locate exactly what data is being held and where it is being stored. David Fathers says “not all smaller companies will need to appoint a data protection officer but it is also vital that someone in the business takes responsibility for keeping up to date with the regulation. We’ve seen many companies start with an assumption that it’s an issue for the IT department. But, in reality, it’s a company-wide issue which requires board-level leadership, and buy-in from every employee in every department.”
Jonathon Wood, director at C2 Cyber, believes “human error can represent the biggest threat to information security, so an audit of staff and the way they are behaving, such as awareness of storage and security good practice, remote and mobile working policy and two step encryption, are all key.”
He continues, “most organisations have all the technology in place to ensure they are as secure as possible but many aren’t using it properly, so training the team coherently to ensure they are ahead of GDPR is a must.
For Alastair Paterson, CEO and co-founder of Digital Shadows, it’s imperative that enterprises “establish GDPR compliance processes now. All firms need to establish and test processes in advance to ensure they know how and who to notify in the event of a breach. With only 72 hours to spare, SMEs can’t afford to wait and figure it out ‘on the fly.’ It is also advised that organisations seek legal counsel before carrying out any drastic changes. All of these changes require considerable thought, time and effort. Before firms go too far down the path of implementing processes and any supporting technologies required, they should seek professional legal advice to ensure that their chosen approaches suitably address the legislation.”
Eric Berdeaux, CEO at OXIAL, claims “GDPR is the most significant change to data protection law in the EU for a generation” and he is not wrong. With time slipping away, organisations need to refrain from burying their heads in the sand otherwise they will suffer from the ramifications of not being compliant at their own peril.
A number of helpful resources and guidelines are available via The Information Commissioner’s Office (ICO) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
