May 25th 2016 will now be known as a significant date in the history of data security in Europe. Companies across the EU now have two years (May 25th 2018) to ensure they are compliant with General Data Protection Regulation.
The objectives of the GDPR is to give back control of personal data to citizens plus simplify regulations for international business with the European Union. Data Protection regulations to date are a complicated affair, primarily down to each EU country having slight differences in their interpretation of it. GDPR will end this confusion and varying interpretations and place all EU countries to the same regulations.
From an Irish perspective this adds security to the fastest growing economy in Ireland. The digital economy contributes 5% of national GDP and is growing at approximately 20% annually. Nine out of the top ten global software companies, all of the top ten global ICT companies, and the top ten “born on the Internet” companies possess significant operations in Ireland. Protecting and sustaining this investment, which provides employment for over 100,000 people, is a vital priority for Ireland.
GDPR road to approval has been a slow one. Conversations about GDPR began in 2012 with final approval only granted April of this year. It is now up to companies in the next two years to get in line. This timescale provides companies with more than enough time to get in line with GDPR, however a recent survey carried out by YouGov & Netspoke revealed only one in five companies feel they will be GDPR compliant by the deadline. Eduard Meelhuysen, VP at Netskope said decision makers need to take a step back to get a better understanding of the current state of their data.
Another survey by Trends Micro revealed that 20% of UK IT decision makers are still unaware of GDPR existence and what is more shocking from this survey almost a third that did know about GDPR didn’t think the regulation was relevant to their organization or were unsure.
The figures are not much better on the mainland either. A survey carried out in UK, France and Germany revealed only 12% of companies surveyed said they felt ready for GDPR and 40% of French companies didn’t even know GDPR existed. 68% said that it would require investment in new technologies to meet GDPR regulations. However, whilst the financial burden of compliance will be a significant one for businesses, it looks like the burden of non-compliance will be a whole lot harder to swallow. According to a report from IT Governance companies who had data breaches on average paid fines of £52,000.
The search for compliance begins
Based on these results it is clear the next two years will be a busy time for many IT departments across Europe. For many a good place to start will be educating yourself on what GDPR is and then evaluate your company on what needs to be done to reach compliance. Once you understand what is involved then you will need to plan how you will achieve it.
To help start the process we have put together some questions you should ask yourself. It is vital that organizations understand who, what, why, where and when of all the Personally Identifiable Information within their control.
- Whose details do you have? The data you possess on your clients and possible prospects is not the only data you need to consider. Data about your staff, suppliers and any other individuals will need to be considered.
- What details do you have? Name and contact details are the obvious data that comes to mind but do not forget about transactions and interactions such as emails, IP Addresses, Website visits etc.
- Why do you have the data? Ask yourself why was it gathered and do you need all the information. Why keep data that is simply not relevant to your organization.
- When was the data gathered? Plus, is the data still relevant since first procured. Does the data still need to be retained?
- Where is the data located? Establish where the data is stored and what is the data journey in between? What systems does the data sit on and how safe is it? How does it get there and what third party access is there?
How to achieve compliance?
The most cost effective and least time consuming method to achieve compliance for GDPR is to incorporate an information security management system that brings your company in line with GDPR regulations, but is also recognized globally and provides confidence to your clients that you take Cyber security seriously and that your organization does all it can to protect their client’s data from a possible cyber-attack.
With the GDPR coming in data location will become an important factor and certification to standards like ISO 27001 will become the minimum for organizations to become compliant to GDPR. To sum up now that GDPR will be in effect being certified with ISO 27001will help you meet GDPR regulations and it will provide with an advantage over your competitors.
ISO 27001 Information Security
The best solution to meeting GDPR regulations and providing you the best possible framework to protecting your organizations data is achieving ISO 27001 Certification. By integrating a robust information security management system your organization can ensure that the quality, safety, service and product reliability of your organization has been safeguarded to the highest level.
The ISO 27001 Information Security Management system (ISMS) standard provides a framework for Information Security Management best practice that helps organizations
- protect clients and employee information
- manage risks to information security effectively
- achieve compliance
- Protects the company’s brand image.
If you wish to learn more and find out how ISO 27001 can help your organization, you can join one of our training courses on how to implement ISO 27001 to your organization. The training course gives attendees an extensive overview in what it takes to be ISO 27001 certified.
Full details on our course can be found here