Capgemini Research published in September 2019, revealed that less than 30% of businesses achieved GDPR compliance. This would mean there are many companies still developing their data privacy and data security in order to become GDPR compliant. And, those who achieved compliance must also sustain their new standards.
Security Boulevard shared an article recently published by Vigilant Software which points to the differences between data privacy and data security, the two elements need different processes and skills, but combined they can help towards achieving GDPR compliance. The article’s author Julia Dutton says:
GDPR compliance = data privacy + data security management
Data privacy covers the protection of personal information. Information such as names, email addresses, medical information and so on – in fact, anything through which a person can be identified (whether by itself or if combined with other types of data). Data security is more about how companies protect data confidentiality, data integrity, and its availability. The two aspects are separate but need to be managed together.
A quick look at GDPR Article 32
GDPR’s Article 32 requires that data holders and collectors deploy the right technical measures as well as policies, procedures, and processes. The level of data security must be appropriate to the level of risk at the company processing personal data. Anyone within an organisation with access to personal data must work be in compliance with GDPR – it’s a responsibility that spans the entire organisation, right the way through to the individual and their own responsibility.
What this means is that companies must choose their digital systems wisely as well as the processes employees follow when collecting and using personal information. And, employees should understand GDPR and the importance of following the compliant processes set in place.
Here at The Defence Works we deliver GDPR training that can help drive users awareness, reducing the impact of a data breach and, ultimately prevent companies facing huge fines – and we keep it engaging via quick-fire sessions that your employees will find useful (no jargon, we promise!).
Imperva, in its coverage of Article 32, says data security measures should at least:
- Encrypt or anonymise personal data
- Maintain confidentiality, integrity, availability, access, and the resilience of data processing systems
- Be able to restore the availability of access to personal data in the event of a security breach
- Test and evaluate the effectiveness of systems and procedures
Technical measures, like software and tools must be evaluated against whether they are “state of the art,” their processing and risk profiles, and their costs. Remember, there is no silver bullet to GDPR compliance.
Organisational strategies for achieving data privacy and methods of compliance, according to Imperva, should include change management, data discovery and classification, loss prevention, data masking and protection, privileged user monitoring, rights management, user tracking, and data access auditing. As well as “ethical walls” separating business groups which need differing levels of access and VIP data privacy for more sensitive data.
Maintaining compliance once GDPR is achieved
A GDPR checklist to help maintain compliance, by Programming Insider, tells companies to ensure they consistently:
- Monitor who has access to data and what data is being stored
- Allow consumers access to their data if its requested
- Identify, categorize, and catalog all data elements stored and from every source
- Define what data is, document all procedures and make sure they are shared across every part of a business
- Govern procedural compliance and who has access to personal data and how much access they have
- Protect data using appropriate encryption and anonymity
- Inform consumers how data is protected
- Delete data that is no longer required
- Audit data centres and data storage silos
It’s of course vital that companies, or their nominated data personnel, familiarise themselves with the complete GDPR and ensure it is interpreted into relevant business processes, then implemented in absolutely every part of an operation.
For many companies’ data privacy and GDPR compliance is equivalent to a full-time role or more. For other companies it may mean hiring specialists or training internal personal or teams. But there is plenty of expert third-party help available. It comes with a cost but fines for non-compliance with GDPR are steep. British Airways and Marriott Hotels are two firms that have already discovered the pain point of a lack of GDPR compliance.
GDPR has costs and benefits
The need for data privacy and data security to achieve GDPR not only ensures compliance. After all, GDPR is designed to protect data and prevent data breaches. To a business the cost of a data breach is massive monetarily and for its future success.
A data breach for a small business costs on average $200,000 and 60% will go out of business within six months of a breach. That’s without fines for non-compliance with GDPR.
In contrast, the benefits of GDPR compliance are big and they don’t just extend to data privacy and security protection. Capgemini’s survey found that of those who are continuing to work hard towards GDPR compliance, 81% reported that GDPR had a “positive impact” on their reputation and brand image.
After all, we owe it to each other to look after our data in a more pro-active, professional way.
Want to engage your employees around the issues of data security and integrity? Sign up for a free demo of our GCHQ-certified GDPR Awareness training, today.