What We’ve Learned About GDPR Compliance In IT Support
When the European Union (EU) launched its General Data Protection Regulations (GDPR) Compliance in 2018, it was billed as the most significant privacy regulation in 20 years.
The regulation covers all data a company stores on a digital device. This can include on-site servers, cloud storage, staff computers, mobile devices and removable media. Paper copies also fall under GDPR.
From an IT support standpoint, GDPR compliance has been little more than a nuisance to businesses and internet users. The real benefit is supposed to provide consumers with more confidence that their sensitive data is secure and to protect employees against rogue employers (and that does happen).
Although there is no statistical evidence to support that consumer confidence has improved since GDPR, we would assume there is, particularly in data-critical industries such as medicine, finance, insurance and law.
But GDPR catches any business that provides goods and services to UK and EU residents in its net. In many cases, the only information stored on a website is an email address so that customers can log in to their accounts.
Furthermore, GDPR compliance covers all data. That includes employee information, intellectual property and failing to implement a disaster recovery plan. There are actually quite a few rules you are obligated to address to avoid a breach of the regulations:
- Any consumer data you store must be approved by the individual’s via an ‘opt-in’ mechanism rather than an ‘opt-out’ strategy
- Consumers should still be given the option to ‘opt-out’ at any time via any unsubscribe tool
- It is forbidden to sell or share consumer or employee data with a third party without the individual’s consent
- Companies cannot misuse data
- Lost or destroyed information will be classed as a breach (i.e. system failure, fire etc)
- A data breach is considered a breach of GDPR
- Data that is updated without the individual’s consent is considered a breach
- Firms must appoint a data protection officer
It’s worth noting that “individuals” includes your customers, employees, visitors or companies you purchase from if you are part of a supply chain.
Basically, every business in the UK and throughout the EU is subject to GDPR. And so are many other companies throughout the world. The EU’s tentacles reach out to any business in the world that collects and analyses data from UK or EU residents – no matter where you are in the world.
If you’re a hotel in Timbuktu, and a Frenchman visits for the night, GDPR applies to you too.
Is GDPR Compliance Working?
GDPR is supposed to give consumers more rights to determine how businesses access, use and store their personal data. Consumers also have the right “to be forgotten” whereby a company has to delete any trace of the individual requesting to be forgotten from their database.
The thing is, nobody reads privacy policies and some companies, especially tech giants, are including terms that allow them to use your data how they like.
For example, by giving your consent to use their services, Facebook and Google use your personal data, typically your search history, to send your targeted content and targeted ads.
Apparently, there’s a loophole in the law here. You may remember that it was the mishandling of your data by Facebook and Google that prompted GDPR in the first place.
Tech companies are also sharing your data with government agencies. And not always for the benefit of law enforcement agencies to solve or prevent crimes.
As you can see from the list above, a principal function of GDPR Compliance is to prevent businesses from selling customer data to third parties for profit. If this policy worked, you would expect to see a reduction in spam emails (and idealistically targeted advertising).
We haven’t, have you?
From a consumer point of view, we have to say that GDPR Compliance is not really working. Those pop-up boxes are intrusive and impair the user experience.
However, from an IT support perspective, and arguably a business perspective, it’s working very well.
In addition to “empowering” consumers with the right to choose how businesses use their data, GDPR Compliance also prompts enterprises to provide evidence that demonstrates their strategy for securing and protecting data.
Whilst this may feel like an inconvenience to companies, it does prompt business leaders to protect their networks from cybercriminals. Minimising the risk of a data breach could prevent hackers using ransomware from shutting your business down.
On the other hand, GDPR obligations could shut your business down.
The duty to protect the private data of your customers, employees and other third parties introduced strict security requirements. If any of the obligations listed above are not adhered to, perpetrators will be issued a fine.
Penalties are set at a maximum of £17 million or 4% of your annual global turnover – whichever is higher. In addition, the parties that have been affected must be informed within 72-hours of becoming aware of the breach.
To date, the majority of fines handed out by the Information Commissioner’s Office (ICO) have been for “non-compliance of general data processing principles. For example, a business website that does not giver any indication to consumers about how data is collected or stored etc).
An increasing number of penalties are being handed out for failing to install adequate cybersecurity defences. From our position, data breaches will be the leading cause of GDPR penalties moving forward.
Moreover, GDPR Compliance is an obligation which will require continuous revision and updates. As cybercriminals develop more sophisticated techniques, businesses come under more pressure to keep up to date with cybersecurity.
From an IT support perspective, implementing effective cybersecurity defences should be a priority. Our prediction is that GDPR enforcers will start issuing heavier fines to companies that have not stepped up their GDPR Compliance game.
Although the maximum fine is 4% of your annual turnover (or £17m), the ICO generally adjust fines for companies that have taken steps to lower the risk of a data breach. Data breaches can still occur regardless of how secure your cybersecurity defences are. We will you to the number of data breaches Microsoft has suffered as a case-in-point.
It would, therefore, be unjustified for ICO agents to issue crippling fines on companies that have installed reasonable cybersecurity defences in accordance with a realistic budget. And as we have previously documented, cybersecurity solutions don’t have to be expensive.
Whilst an ICO penalty will undoubtedly hurt small business growth, most companies should be able to recover from a 4% fine on their turnover. However, reports reveal that 60% of small businesses close their doors within six months of a data breach.
Businesses that suffer a data breach are obligated to report the incident to all parties that have been affected. This usually means informing your customers of the breach – even if the only data you store is their name.
Deloitte analysts found that the hidden costs of a data breach are the most devastating. The issue is that consumers lose confidence and trust. The impact of your brand reputation is more devastating than ICO penalties.
Appoint A Data Controller
Businesses are legally obliged to appoint a data protection officer (DPO) to meet GDPR Compliance. The DPO is responsible for overseeing GDPR Compliance including:
- your companies data protection strategy
- monitoring data storage and data transfer operations
- educating and training employees about the obligations under GDPR
- implementing policies to ensure GDPR compliance
- responding to data subject access requests
- liaise with ICO supervisors in the event of a GDPR breach or other request
There are still some grey areas with regard to appointing a DPO. The ICO stress that a DPO should be appointed if your organisation is a public authority or if you process and monitor “large volumes” of personal data.
We assume that “large volumes” implies a significant figure. However, until a figure is fixed, “large volumes” might be interpreted however the ICO deems fit.
It’s also important to note here that there is no limit on the size of your company. The number of employees working for you is irrelevant. For example, you may have a small five-man team but store the personal data of 200,000 subscribers to your YouTube channel or maybe even 5000 email captures.
Is 5000 considered a large volume?
A DPO can be someone on your team that understands how to apply GDPR compliance companywide. Their duties would also include ensuring your efforts to prevent hackers from infiltrating your business system is adequate.
Our IT support specialists in London can serve as a supporting arm for your DPO. We will ensure your cybersecurity defences are the best they can be for your budget and ensure you consistently maintain effective security solutions moving forward.
GDPR Compliance IT Support Services
Creating solid IT Security strategies that protect against all possible threats should be a priority for business leaders in light of the devastating effect GDPR Compliance failures could have on the continuity of your business.
Our IT support team in London can help in several ways, namely cybersecurity awareness training, patch management, 24/7 monitoring, cloud backup, disaster recovery plan, anti-virus, configuring the security settings on your software and devices and training your staff cybersecurity awareness.
Not every company will need all these services. However, there are several that most businesses should invest in.
Our IT professionals use advanced monitoring software that is able to detect irregularities on your system’s network. One of the functions the software performs is to flag up new logins and suspicious activity that could be a hacker. It can also identify files that are not ordinarily there.
24/7 monitoring tools are highly effective at detecting suspicious activity and can prevent a security breach. They also identify potential points of failure that occur in your business network which enables our specialists to rectify problems and eliminate potential downtime.
Every business uses software and hardware that poses a potential security risk if they are not updated. Apps and plugins present hackers with gateways onto your network.
In most cases, it is your responsibility to update software once a new security patch has been administered. The big tech giants are not responsible for a data breach if you have not updated the latest security patch. And that means relying on all your employees to perform an update on their device.
Patch management services eliminate the risk of leaving a gateway open. Security updates can be performed from remote locations. This means that our powerful software will automatically update security patches – so your employees don’t have to.
Expand Awareness of Cybercrime
GDPR isn’t just an issue that executives and IT teams should be aware of. The vast majority of data breaches – over 90% – are caused by human error. A typical “error” is clicking on a malicious link in an email.
One of the most effective ways of preventing a data breach is to ensure your staff knows where cybersecurity threats come from. Our IT professionals in London will train your team members how to identify all known security threats and issue periodic updates whenever new hacking techniques are discovered and reported.
IT Support in London
Our IT support team in London helps organisations install adequate security defences. We can also provide a GDPR strategy and put processes in place to prevent and contain potential data breaches.
Having watched how GDPR has unfolded over the last five years, it is evident that compliance regulations are far more damaging to SMEs than large corporations.
Protecting the sensitive data of your customers and employees essentially means protecting the continuity of your business. Our IT support in London ensures your business is in better shape to survive.