There are still UK companies struggling with compliance under the current Data Protection Act. Some are still playing “catch up” on even the most basic cyber security systems and the principles of storage of personal information.
Many of these are possibly blissfully unaware that the EU’s General Data Protection Regulation is on its way in 2018. This legislation mandates the need to encrypt and protect data on a whole new level.
Sophistication of cyber criminals
Headlines regularly provide examples of some of the biggest and best well-resourced organisations coming under attack from hackers or viruses.
The NHS, Disney and the new Samsung Galaxy S8 smartphone are just three brands which have recently experienced the sophistication of modern cyber criminals.
When it is hard for the “big guns” to fight off attacks, it means small businesses must certainly guard themselves against complacency or worst still, ignorance. They must start to plan for the GDPR now, including auditing and improving the way they handle personal data.
To be blunt, it could be argued that industry and commerce are already falling behind in keeping up with threats. During 2016 in the UK, 54,468,603 records were compromised. This is a staggering 475% increase in the number of data breaches, when compared to the year before.
Keep in mind that companies currently do not legally have to admit data breaches. So how many go undetected or unreported?
It is not surprising therefore, that measures are being taken to force companies to invest a great deal more in understanding the potential risks to data and implementing effective security solutions.
Don’t be fooled into thinking that Britain’s exit from the European Union makes it immune to the repercussions of the EU General Data Protection Regulations. The legislation affects all databases which hold information on residents of EU countries. This means there may be only a relatively small number of SMEs operating locally that can dodge the bullet.
The GDPR will give consumers far greater rights over the way their information is collected, used, stored, transferred and disposed of. Companies will be required to make technical and organisational changes to stay compliant with the new, in depth requirements.
As well as looking closely at the scope and context of all personal data they hold, companies must start introducing security measures to protect it from all forms of misuse, misappropriation or loss.
The GDPR makes it absolutely clear that businesses need to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
The sort of measures the GDPR requires of companies include using pseudonyms, and encryption of personal data, to disguise identity. There will also be increased emphasis on having resilient and reliable equipment and procedures to process all personal data.
This must all be carried out in the framework of crisis management too. How can companies restore data and gain access to it swiftly if they come under cyber-attack or experience some other form of breach?
Frequent testing will be essential – including securing professional help to replicate the effect of hackers. There may also need to be increased surveillance within IT teams and anyone else with access to data, to ensure protocols are strictly adhered to.
Encrypting personal data
The GDPR doesn’t currently spell out any particular criteria for how personal data should be encrypted. The main thrust is that companies need to take measures to ensure that if there is a breach in data, systems have been created to render that information useless to anyone who misappropriates or gains access to it.
This is good news, as it provides companies with manoeuvrability on the systems, techniques and technology they employ. However, this can also leave room for ambiguity. If the right professional expertise is not used to audit and design new data control systems, it may be possible to inadequately protect sensitive data without realising it.
It also means companies need to fully comprehend the data they hold - and how sensitive and valuable it is.
Where do risks arise, at any point in the process from collection to disposal?
How can it be encrypted with a key that is entirely secure, but also easy to unlock so the data can be used for its intended purpose? For many companies, encryption key management strategies will be a new area of expertise, investment and even recruitment.
Because new data security will not just be about technology and systems – but also people. Who within your team should hold encryption keys, and how can you restrict access to sensitive or valuable data on a “need to know” basis?
Risks of ignoring the threat and GDPR
The new legislation protects consumer rights to a much higher level, and brings with it considerable financial retribution for companies who fail to comply.
By not securing data – including encrypting it – there will be a potentially more devastating cost for companies to face post-GDPR. Loss of reputation.
When so much is being done to stop data breaches, a company that fails to keep up may find increasingly-savvy and security conscious consumers are unforgiving.
If you would like to discuss how we can help you prepare for the General Data Protection Regulations, including surveillance and cyber security testing procedures, contact 1st Call detectives today. We have a new encryption certificate on our site, as we value customer security, privacy and discretion.