12 months after the implementation of the General Data Protection Regulation (GDPR), the fining has started and the ICO are not holding back!
The GDPR is back in focus, after record breaking fines have been handed out for the mismanagement of personal data. Following the staggering £183 million fine given to British Airways, the most recent company to incur the wrath of the ICO has been Marriott International for their security breach last year. 339 million guest records globally were exposed, of which seven million related to British visitors, and the consequence was a £99m fine. Given that in this case, the data in question was associated with a company that Marriott had only recently acquired, the message from the ICO is clear; ignorance is no longer an acceptable excuse and the consequences will be severe.
The GDPR applies to all businesses who process personal data, not just large corporations. We have therefore put together our top tips for staying compliant, and avoiding the fines.
1. Know your data
This is easily the number 1 weakness for any business. If you don't know what data you hold, how can you manage and protect it? This can be particularly tricky for businesses who are processing vast amounts of personal data on a daily basis. The key is to have strong audit measures in place, and keep records. Ask the following questions concerning every piece of data; What is coming in? Where is it coming from? What is the basis for processing this data? How long do I keep it?
2. Keep policies up to date
Once you know what your data is, you need policies in place to manage it. Make sure everyone knows what the policies are. In the event of a breach, the ICO will want to know that you had the measures in place and did everything in your power to protect the data you hold. Remember, ignorance is not an excuse.
3. Put in place processes to detect fraud
How do you know if data you are holding has been compromised? Do you have processes in place to limit access when not required? When purchasing data (perhaps for marketing purposes), make sure suppliers are thoroughly checked. Proving to the ICO that you are regularly checking is absolutely essential.
4. Are your systems secure?
There are many different areas to consider here, but it always a good idea to start with these; your firewalls and computer protection, how cloud based services protect personal data, (such as your CRM), where physical data is held, access privileges and what your processes are if an employee leaves? Doing everything you can to protect data, and documenting everything, will show the ICO your commitment to data protection.
5. Is everything documented?
The key thing that the ICO would be looking for in the event of a problem, would be proof that you have been keeping data secure. Keeping records and tracking data can be a daunting task. It is well worth considering a software solution which will fit into your daily business activities and monitor that data for you. Recording your data on the software will allow for a full audit trail, if needed.
Complying with the GDPR and avoiding fines doesn’t have to be time consuming or expensive, with easy to use compliance software. The ICO have demonstrated their power and commitment to protecting personal data, so now is the time to ensure your company is not vulnerable.