How to Prepare for the EU GDPR

Written by

A recent report by the Close Brothers revealed that only 4% of British companies understand the impact of the European Commission’s upcoming General Data Protection Regulation (GDPR). For the remaining 96%, it is very much in their interest to find out. 

On May 25, 2018, new rules concerning the accumulating and usage of data will come into effect. In this post-GDPR world, you’ll have to gain unambiguous consent before collecting personal information, you’ll need to wipe it after a predetermined period, and in the event of a breach, you’ll have to notify the relevant authorities and the relevant individuals within 72 hours. 

What’s more, not being based in the EU won’t save you. If you market products to any of its member states, and if you handle the data of any one of the bloc’s 508 million residents, it doesn’t matter if you’re based in Brussels, the US, or an Antarctic weather station: you’ll be expected to comply. If you don’t, you could end up paying €20 million in fines, or 4% of your yearly turnover (the larger amount, naturally). 

British businesses have two years to prepare for the GDPR. It’s enough time to create a comprehensive strategy, but you’d be wise not to defer it for too long. 

Auditing Data Processes
The fundamental thing to understand about the GDPR is that it’s not really a bad thing – or at least, it’s not supposed to be. It will certainly be painful, but it is at least well-intentioned. In the age of big data, it’s important to process information in a way that protects the user as well as your commercial interests. 

If businesses are being completely honest with themselves, they may well admit that, from time to time, they perhaps collect more data than they strictly need to. Research from Pure Storage indicates that 72% of companies are accumulating information that they never use – and that 22% of those do this “often”. 

You have nothing to lose if you stop gathering this data, and everything to lose if you continue to do so. The GDPR is both punitive and prohibitive: if your information security strategy isn’t up to scratch, you may well suffer for it. 

It’s on you to find a means of incorporating this regulation into this strategy. That starts by furnishing answers to some pretty basic questions. What data are you collecting? Why are you collecting it? Who has access to it – which employees, which contractors, which third parties? Do they know how to use your systems in a way that minimizes the risk of a breach? 

When you know all this, you should work out what you don’t need to collect, and stop collecting it. You also need to create a standardized process for informing users about how you intend to use their information – and gaining their authorization to do so. 

ASOCalypse Now
Insight is great, but it’s worth precious little without action. A sufficiently bad data breach can pose an existential threat to your business, so you’ll want to have some idea about how you should handle it. 

This isn’t just about shoring up your systems. You’ll certainly need to do that: a rigorous breach impact assessment will let you know exactly where you’re most at risk when it comes to data processing – enabling you to mitigate any potential damage – and you’ll need a plan for informing the Information Commissioner’s Office as well as anyone affected by the incident. 

However, a dirty little secret of your average IT crisis is that, in terms of overall business impact, it’s like any other crisis – shaped and dictated by how you deal with it from a PR perspective. The TalkTalk breach was undeniably damaging, but it was exacerbated by the company’s seemingly non-existent media relations strategy following the attack. The CEO refused to apologize, offered no explanation, and the organization kept charging £250 to quit its service. It was a catalogue of escalating errors, and TalkTalk got a pasting for it. 

The way you deal with a violation is the difference between a setback and a catastrophe. Draft placeholder statements in advance that express regret and convey reassurance, and have holding pages ready on your website. The GDPR’s requirement to inform customers is in some respects its most important stipulation, because compliance can harm your business’ reputation. Don’t let it. 

Form a People Strategy
In some situations, the GDPR may require you to designate a Data Protection Officer, but don’t think for a moment that that’s where you should stop hiring. They’re there to stress the importance of compliance, make sure you do the right paperwork, and report any breaches, but creating an information security strategy isn’t within their remit or skillset. 

Strategic hiring will be necessary: you’ll need people to take care of storage, network segregation, encryption, and more. Start with a Chief Information Security Officer and make sure they have a large degree of autonomy over recruitment. If nobody’s patrolling the perimeter, you shouldn’t be surprised when there’s a burglary. 

The fundamental thing to remember about data breaches is that they don’t care about laws or regulations. Whether you fully comply or flagrantly violate the rules, if they want to go after you, they’ll go after you. Ticking boxes may be necessary, but it’s less than half of what you have to do. 

It was true before the GDPR, and it’ll be true when it’s inevitably replaced by something else: when you hire, when you talk to the media, and when you improve your security, you should do so strategically – and with the sole view to protecting your customers and therefore your business.

What’s hot on Infosecurity Magazine?