GDPR is one of the most over-used acronyms of the year, even out-trending Beyoncé in Google search volume. In this new reality, data protection and privacy are kings, re-writing the rulebook on how businesses, work together and deliver services to customers.
Since the activation of the law on 25th May, there has already been a sharp rise in data protection complaints to regulators across Europe. While GDPR comes with its challenges, it marks a positive step forward for the business community who has, for too long, relied on mass and often inaccurate datasets.
With the (now real) threat of fines up to 4 percent of global turnover or €20 million, what does GDPR look like in practice and how can businesses use this shake-up to their advantage?
Look on the bright side
It’s easy to be sucked into the negative rhetoric surrounding GDPR. The truth is, there will always be winners and losers.
The losers will be companies who don’t take the law seriously and neglect to follow cyber security guidance from governments and organisations like the Center for Internet Security. The winners are the ones using new legislation as a chance to refresh key business functions and gain an advantage over the competition.
A recent study found GDPR would make up to 75 percent of customer data held by UK companies ‘useless’. Database depletions on this scale may appear catastrophic, but for years, marketers have wasted time and money communicating to people who have never (and are never going to) engage with their brand.
A ‘data detox’ is well over-due, leaving only quality leads and redefining customer relationship management. This, in turn, will simplify compliance with Data Subject Access Requests and reduce infrastructure costs for things like data storage, back-ups and security.
GDPR compliance can also be a strong pull factor for customers. The public has never been so aware of their privacy rights. By demonstrating you take their privacy and security seriously, you’ll be able to build trust at a time when the public is losing confidence.
Previously, data protection legislation exclusively focused on the controller – or the company ‘owning’ the data – not the actions of third parties with access.
However, under GDPR, many controllers worry they may face unlimited liability for a breach experienced by processors on the grounds they failed to exercise due diligence.
To protect against liability damages and reduce risk, map where the data you’re responsible for lies along the supply chain and what your suppliers/partners are doing with this data.
For both old and new contracts, ensure that you undertake a level of diligence that is appropriate to the risk that supplier presents to you. Data processors should be committed to notifying you of a breach and provide you with the support you require to respond effectively in this situation.
Cybersecurity insurance is also recommended which includes first-party and third-party coverage to protect against the damages of breaches originating in-house or along the supply chain.
According to the ICO, four of the five leading causes of data security incidents are due to human errors and process failures. Make no mistake, GDPR is not a matter to be palmed off to your IT or compliance team; now’s the time to introduce data protection by design across the whole business.
Introducing new business data practices and security controls can be challenging. If staff think the changes are too dramatic and senior management aren’t actively supporting them the danger is they will actively avoid adapting to them.
There’s also the problem of keeping up with the evolving cyber threat landscape. At one end, attacks are constantly becoming more intelligent and at the other, old-school techniques like email phishing continue to succeed at exploiting people’s trusting nature.
It’s good practice to test how well your employees can apply their cyber security knowledge. Why not try some tactics internally, such as sending fake spear phishing emails to the company network to see who clicks on the links or attachments and who flags it to the right person?
Regular training workshops hosted by experts are a must; try IAPP courses which can be taken online or in person. It’s also important all employees, those working on-site and remotely, are informed of any updated protocols to keep defences strong and promote accountability.
GDPR is by no means just another piece of red tape. It represents a real chance for businesses big and small to future-proof their processes, monetise data in an efficient (yet fair) way and build loyal relationships with suppliers, partners and customers.
By Mark Overton, Information Security Officer, Softcat