The role of technologyTechnology will clearly have an important role to play in ensuring compliance with the EU GDPR, but in the event of a breach, it will also now be the difference between potentially ruinous fines and reputation damage, and coming out unscathed. As part of the new legislation, businesses must be able to prove they have “… appropriate technical and organisation measures to ensure a level of security appropriate to the risk, including encryption of personal data”. Additionally, and critically, “Notifying data subjects about a breach of their personal information is not required provided the data was protected by technical and organisational measure, ‘in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption’.” In short: Encryption is now a necessity for every business. However, no two organisations are the same and before any decisions about technology can be made, it’s important to assess what your current IT landscape looks like, what data you hold and what needs to be put in place for compliance.
Tackling the EU GDPR one step at a time(1) Assess the risks posed to sensitive information by understanding how your organisation processes and handles data This internal review should cover all procedures at all levels of the business, looking at the types of information that employees create or receive from clients / third parties, who has access to this within your organisation, and the tools used to share sensitive information both internally and externally. (2) Educate end-users Not only should this be carried out as a best practice exercise, but it should also directly relate to the results of your internal audits. If employees are using tools like Dropbox without express permission from the organisation or are sending sensitive information via plaintext email, then it’s important to work with them to help them understand the threat this poses and the repercussions that will occur should this lead to a data breach. Additionally, effort should be made to thoroughly train staff to use the data security tools available to them and to motivate them to use this technology by, for example, making adherence to data protection policy a subject in performance reviews.
(3) Support employees with smart technology
Organisations also need to acknowledge that today’s increasingly complex IT environments do not lend themselves to a one-size-fits all approach, so security solutions need to offer the necessary levels of flexibility, be that email encryption, large file send or secure online collaboration. Greater protection can also be applied by taking decision-making away from individual end-users. Rather than rely on a member of staff to decide when an email or file should be secured, by centralising policy-based control, using the specific content of an email as a basis for security, decision-making is less open to error. It may seem overwhelming, but tackling the EU GDPR strategically and logically will make the task more manageable. Starting the process early will also avoid any unnecessary pressure when decisions are being made, and will give you time to source the tools and partners that are best placed to fit your needs. Tony Pepper is co-founder and CEO at Egress
Share this story