THE LATEST EDITION

August 2018
M T W T F S S
« Jul    
 12345
6789101112
13141516171819
20212223242526
2728293031  

GDPR – Humanising Data Protection

Jon Fielding, Managing Director, EMEA Apricorn

By Jon Fielding, Managing Director, EMEA Apricorn

As the General Data Protection Regulation (GDPR) deadline looms, organisations are scrambling to find all potential vulnerabilities that could lead to sensitive data being lost or exploited. GDPR will ensure all countries comply with the same comprehensive controls over the personal data of European citizens, applying a consistent level of security and protection wherever it is processed. The new regulation is set to push organisations into taking appropriate steps to protect the data they house. Should a company be found in breach of GDPR, it could be subject to fines of 4 per cent of its annual global turnover or €20 million, whichever is greater.

Human Error

Organisations are investing heavily in new cyber security tools, adopting the latest software and threat intelligence in order to comply with the new legislation and avoid the consequences of a data breach. However, even with the greatest security systems in place, one of the biggest threats to intellectual property comes from the user and the risks posed by human error.

Human beings are typically the weakest link when it comes to data security. In a survey carried out by Apricorn, 48 per cent of companies said employees are their biggest security risk, and as many as 44 per cent expect that employees will lose data and expose their organisation to the risk of a data breach.

Human error and poor practice, such as PCs left unlocked or someone clicking on a malware-infected link in an email, can all lead to an attack and, ultimately, a serious data breach. Add to that the increase in employees using personal storage devices – such as USB memory sticks, smart phones, and tablets – and the potential to remove or copy sensitive information outside the corporate network has become a growing risk. The proliferation of mobile and removable devices has blurred the corporate boundaries, but GDPR requires that organisations should be able to trace all personal data and understand where it resides and how it’s used.

Organisations will need to document exactly what data collected and how it is processed, stored, retrieved and deleted through its lifecycle to pinpoint where data may be unprotected and/or at risk. Currently, however, 38 percent of surveyed organisations believe they have no control over where company data goes and where it is stored. This suggests a lack of policy and control over their data.

Policy and Education

The pivotal component of any organisation’s GDPR compliance framework is employee awareness and education. Employees at all levels must understand the critical importance of their organisation’s data and the need to comply with corporate security policy. Increased training and testing is key in educating employees about their responsibilities and their role in protecting sensitive information.

First of all, appropriate policies should be created and enforced. However, if employees do not recognise and understand the legislation and its consequences, the likelihood is that failings will ensue.

Corporate processes and policies aren’t always easy to implement and follow, and it’s impossible to secure against all lines of attack. Policies can be ignored, and advice disregarded, but with the right technology and education in place, businesses can reduce the potential impact and minimise the risks.

As part of the new GDPR requirements, organisations must demonstrate that authorisation and access to certain intellectual data and sensitive information is limited. They must be able to demonstrate who has access to information and the reasons why, whilst considering how data is protected outside of their central systems, both on the move and at rest.

To avoid the potential for human error when data is being transferred outside of the network or between systems, organisations need to research, identify and mandate a corporate-standard encrypted mobile storage device. In addition, the use of the device should be enforced across the organisation through policies – such as locking down USB ports so they can accept only approved devices. These processes will then enable organisations to identify shortcomings in their technologies and policies and provides a simple step toward GDPR compliance.

In fact, an organisation’s biggest liability within GDPR is at the point of breach and deploying encryption for mobile devices is a simple and quick win.  GDPR is generally non-prescriptive in terms of technology and the implementation of processes, policies and procedures is left to each business.  However, Article 32 requires “the pseudonymisation and encryption of personal data”.  Article 34 notes that, in the event of a breach if the data involved is encrypted, there isn’t a requirement to contact each individual affected, thereby avoiding the resultant administrative costs.

Human error is one threat to non-compliance, but GDPR imposes many different standards for data protection and it is an organisation’s responsibility to demonstrate how they are complying with each of the principles.

Among other action points, organisations should prioritise the following in their strategy:

  • Ensure up to date security systems are in place, particularly encryption and authentication technologies. This should include implementing appropriate monitoring and controls to evidence GDPR compliance.
  • Develop defined organisational policies and procedures covering how data is captured, processed, managed and disposed of, and check regularly that these are complied with.
  • Ensure processes are in place to manage the rights GDPR bestows upon the citizen – the right to be forgotten, the right to receive data in a portable format, and explicit consent and understanding for the collection of data, etc.
  • Ensure employees receive training on the cybersecurity policy and when to report incidents.
  • Restrict access to personal data only to those who need it.

Organisations should see GDPR not as a threat, but instead, use it as an opportunity to batten down the hatches and ensure their data is secure through best practices.

For further information, and a special offer of a device to test for FREE, please visit: www.apricorn.com/gdpr/gpsj

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>