Cyber-attacks and privacy threats are now a high-profile concern across all sectors. With 2018 just around the corner and The General Data Protection Regulation (GDPR) coming into effect on 25 May, 2018. Small and middle-sized businesses (SMBs) need to be prepared for this new regulation. In order for SMBs to comply with GDPR its decision makers and key people in the organisation need to be aware that the law is changing. Also, they need to appreciate the impact this is likely to have within the organisation. Furthermore, SMBs that hold data on EU citizens have a responsibility for the protection of the data they store. This data needs to be stored systematically and protected from theft and misuse.
SMBs also need to be able to meet GDPR data subject’s rights which are as follows:
- to be informed about data processing
- to access their data
- to rectify or delete their data
- to take their data to another organisation
How can they avoid the fines?
Data retention is also an important factor. SMBs can avoid the fines by deleting data after a certain time has expired, for example personal data collected in connection to a product purchase and associated warranty. In addition, there are other types of data that needs to be restored for a minimum, amount of time. Such as certain financial data. This means that SMB’s need to know where personal data is stored and able to respond to data requests in a timely manner.
What should they be doing?
Smaller and medium-sized organisations have to ensure they approach data protection by ‘design and default’. At a high level it means that companies must secure their systems and processes to ensure data does not leak out or is easily hacked. It requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default, and that technical and procedural measures throughout the entire data processing lifecycle complies with the regulation. Additionally, organisations need to implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose.
Furthermore, SMBs need data storage that is both easy to access and manage and also has privacy and protection designed into its foundation.
- If they plan to store data in-house, their business will be both the data controller and data processor. As a result it will be fully liable to the repercussions should any of this data be hacked or the regulations breached
- If they plan to use a public cloud or hybrid-storage solution, it is the responsibility of the business to ensure that it and the third-party provider are GDPR compliant
- Password protection – Devices and files and/or folders that contain personal data should be protected by passwords. They should only be accessible to users who have the permission to access and/or process the data
- Encryption – data should always be encrypted whether stored or transferred
- Physical protection from theft / loss – devices that store personal data should have physical protection such as a Kensington lock or keys for NAS and hard drives in a server, or similar
- Anti-virus software to ensure that data isn’t infected with malware such as ransomware
- Firewall protection
- Backup and Restore –backups should be automated and carried out daily so in the event of data loss the most recent copies of personal data can be retrieved
- Centralised storage should be preferred over local storage on PCs, laptops or external or portable hard drives. These devices are more prone to theft and unauthorised access. It’s also extremely difficult to control who has access to them and the data on them
Anything different from what the larger corporations are doing?
Unlike most large organisations, Some SMBs are adopting a ‘wait and see’ approach. They believe that GDPR mainly addresses and affects big corporations that collect and deal with huge amounts of personal data, such as social networks, cloud providers or search engines. Many of these organisations are waiting to see what happens when a peer company falls foul of the legislation.
Therefore, this approach is potentially damaging given that the threat of insolvency or even closure as a result of GDPR penalties is very real. GDPR applies to all companies; no matter how big they are or how much their turnover.