GDPR is one of the most over-used acronyms of the year, even out-trending Beyonc in Google search volume. In this new reality, data protection and privacy are kings, re-writing the rulebook on how businesses work together and deliver services to customers.
With the (now real) threat of fines up to 4% of global turnover or £20 million, what does GDPR look like in practice and how can bosses use this shake-up to their advantage
See the positives
It’s easy to be sucked into the negative rhetoric surrounding GDPR and see it as just more red tape. The truth is, there will always be winners and losers, in every situation where regulatory changes are involved.
The losers will be companies that don’t take the law seriously and neglect to follow cyber security guidance from governments and organisations like the Centre for Internet Security. The winners are the ones using new legislation as a chance to refresh key business functions and gain an advantage over the competition.
A recent study found GDPR would make up to 75% of customer data held by UK companies “useless”. Database depletions on this scale may appear catastrophic, but for years, marketers have wasted time and money communicating to people who have never (and are never going to) engage with the brand.
A “data detox” is well over-due, leaving only quality leads and redefining customer relationship management. This, in turn, will simplify compliance with Data Subject Access Requests and reduce infrastructure costs for things like data storage, back-ups and security.
GDPR compliance can also be a strong pull factor for customers considering your brand or deciding whether to stay loyal. The public has never been so aware of their data protection rights and held such high expectations of companies they engage with.
Make no mistake, GDPR is not a matter to be palmed off to your IT or compliance team. According to the ICO, four of the five leading causes of data security incidents are due to human errors and process failures.
Now’s the time to introduce data protection by design across the whole business. Introducing new business practices and security controls to support data privacy can be challenging. If users perceive the changes made as too dramatic and their managers are not actively supporting the changes the danger is they will actively avoid adapting to them.
There’s also the problem of keeping up with the evolving cyber threat landscape. At one end, attacks are constantly becoming more intelligent, at the other, techniques such as social engineering continue to succeed at exploiting people’s trusting nature to obtain confidential information voluntarily.
The resurgence of email phishing attacks is an attack that requires little skill and is being attributed to similar threat actors to those who carried out the 419 scams/ Advance-Fee frauds common 10 years ago.
Regular training workshops hosted by experts are a must; try IAPP courses which can be taken online or in person. It’s also a good practice to test how well your employees can apply their cyber security knowledge. Why not try some tactics internally, such as sending fake spear phishing emails to the company network to see who clicks on the links or attachments and who flags it to the right person?
Make sure all employees, those working on-site and remotely, are informed of any updated protocols to keep defences strong and promote accountability. Having a clear reward and disciplinary process also gives employees an extra push to make the right decisions when it matters.
Previously, data protection legislation focused on the controller or the company “owning” the data not the actions of third parties with access. However, under GDPR, many controllers worry they may face unlimited liability for a breach experienced by data processors on the grounds of failure to exercise due diligence.
To protect against liability damages and reduce risk, map where the data you’re responsible for lies along the supply chain and what your suppliers/partners are doing with this data. For both old and new contracts, ensure that you undertake a level of diligence that is appropriate to the risk that supplier presents to you.
Data processors should be committed to notifying you of a breach and provide you with the support you require to respond effectively in this situation.
It’s also important to clearly outline what data is being shared, what it can be used for, how long it can be kept and what will happen after the contract ends. This will help you notify the ICO of the compliance steps you’ve taken if the worst-case scenario does happen.
Cybersecurity insurance is also recommended which includes first-party and third-party coverage to protect against the damages of breaches originating in-house or along the supply chain.
GDPR is by no means just another piece of red tape. It represents a real chance for businesses big and small to future-proof their processes, monetise data in an efficient (yet fair) way and build loyal relationships with suppliers, partners and customers.
All hail GDPR! Move over Queen Bey, there’s a new King in town.
Mark Overton is information security officer at Softcat