OK. Stop for a minute and take a deep breath. GDPR – the General Data Protection Regulation – goes live on May 25th. Does the date signify some kind of IT Armageddon, or does it just seem that way because of what you’ve been reading in the media?
Let’s start at the very beginning. GDPR a piece of legislation, and as such it tells you what you can’t do. There’s the first problem; having said you’re not allowed to do something, it doesn’t go on to tell you what you should do instead. That’s something you have to work out for yourself. And there’s the second problem – the answer won’t be the same for every company.
So, let’s come at this from another direction, and de-mystify the law’s objective, because that’s where the first chink of light begins to appear at the end of the GDPR tunnel. The law is trying to stop individuals’ personal data being lost, taken away by lax procedures in the way you run your business or mined by cyber criminals. We’re not talking about 15-year-old boys in their bedrooms; this is about attempted hacking on an industrial scale. The numbers of attacks really are eye-watering, and they’re happening at this moment.
Think Health & Safety for data To help you understand GDPR more easily, let’s think about Health & Safety instead. It starts by taking the view that it wants everyone to go home from work in the same state of health as when they arrived. To support that objective every company has procedures and processes, defined in legislation, in place to protect workers. The need for that protection is obvious and understood. But hang on, not all companies are the same. Take HBP Systems as an example. We’re largely office based. As such we have no major manufacturing activity, no forklift trucks, no welding, and no overhead cranes. The detail of our response to Health & Safety legislation is therefore different from a company that undertakes all of those operations as part of its daily activities – but the same legislation applies to all of us. In the same way, GDPR wants data to be protected to the same standard all the time, which means that asking ‘what should I do’ draws the answer ‘it depends’. It depends on the kind of business you have, and what sort of data you hold. A company like ours, which is involved with the IT networks of more than 600 Humber region companies, must take a different approach to GDPR from that taken by the cash-only business model of the window cleaner whose only IT is a web site showing pictures of the windows he cleans. The same rules apply to both companies, but the response to them is very different. He has no data worth stealing; we have access to a great deal.
So what should you be doing? Here’s some more light at the end of the GDPR tunnel. You already do a great deal of what’s required. The Data Protection Act has been telling us to protect data since 1998. However, just as standards in Health & Safety have become higher over the years, so GDPR is moving data protection to higher standards, trying to achieve the same for individuals’ data as Health & Safety is doing for their physical wellbeing. Try asking the ‘what should I do’ question another way, by saying ‘how easy would it be for my data to be lost?’ and reacting accordingly. There are two things to be considered. The first is the threat of being hacked by cyber criminals; the second is the ease of which an employee could copy data onto a memory stick and carry it out in their bag or pocket. It happens. People are regularly the weakest link in IT networks. We’ve all heard about sensitive data being left on buses and Tube trains… You need to take steps that make both eventualities less likely.
It’s good business practice More good news comes from understanding that you’re probably already doing much of what GDPR wants you to do without even realising it, because it’s good business practice, like not passing data to third parties, using it wisely, storing it safely, and completely removing people from your database when they ask you to do so. No-one is checking up on you, and you’re not going to get into trouble unless something goes wrong. It’s down to you and your business to take account of what you’re doing. But what you should do is have all the checks and balances in place so that, if something did go wrong, you could look Information Commissioner’s Office officials in the eye and say ‘we did everything we possibly could, and this still happened. In order to stop it happening again, we are going to refine our process’. More importantly, being able to say that to yourself probably means you’re not going to lose any data, so you won’t be in that position in the first place.
Can I prove it? There’s no specific certification to show that you comply with the new rules, but there are two steps you can take to show your commitment to data protection. The first is accreditation to the Government’s Cyber Essentials programme, and the second is to get third party certification to ISO 27001. Oddly, although GDPR doesn’t require you to hold either, it’s increasingly likely that both will appear in the tendering process as companies looking to have work done will want to know how hard potential suppliers are working to comply with the rules.
So, what next? Make it as tough as possible for anyone to get at the data you hold. Take steps to encrypt it. Don’t let employees have access to all if it. Don’t use the same password for everything. Do all these things because they’re good business practice, not because someone in Brussels has told you to do them. They’re telling you because it’s good business practice, not because there has been a sudden and dramatic change. Protect yourself – and other people’s data – as much as you can, and you’ll be complying with GDPR. And if you’re still uncertain, get in touch with HBP Systems. We’ll talk to you about the rules as they apply to your business.