{"id":4073,"date":"2018-02-23T12:04:32","date_gmt":"2018-02-23T11:04:32","guid":{"rendered":"http:\/\/www.gpsj.co.uk\/?p=4073"},"modified":"2018-02-23T12:04:32","modified_gmt":"2018-02-23T11:04:32","slug":"gdpr-humanising-data-protection","status":"publish","type":"post","link":"https:\/\/www.gpsj.co.uk\/?p=4073","title":{"rendered":"GDPR \u2013 Humanising Data Protection"},"content":{"rendered":"
\"\"<\/a>

Jon Fielding, Managing Director, EMEA Apricorn<\/p><\/div>\n

By Jon Fielding, Managing Director, EMEA Apricorn<\/span><\/p>\n

As the General Data Protection Regulation (GDPR) deadline looms, organisations are scrambling to find all potential vulnerabilities that could lead to sensitive data being lost or exploited. GDPR will ensure all countries comply with the same comprehensive controls over the personal data of European citizens, applying a consistent level of security and protection wherever it is processed. The new regulation is set to push organisations into taking appropriate steps to protect the data they house. Should a company be found in breach of GDPR, it could be subject to fines of 4 per cent of its annual global turnover or \u20ac20 million, whichever is greater.<\/p>\n

Human Error<\/strong><\/p>\n

Organisations are investing heavily in new cyber security tools, adopting the latest software and threat intelligence in order to comply with the new legislation and avoid the consequences of a data breach. However, even with the greatest security systems in place, one of the biggest threats to intellectual property comes from the user and the risks posed by human error.<\/p>\n

Human beings are typically the weakest link when it comes to data security. In a survey carried out by Apricorn, 48 per cent of companies said employees are their biggest security risk, and as many as 44 per cent expect that employees will lose data and expose their organisation to the risk of a data breach.<\/p>\n

Human error and poor practice, such as PCs left unlocked or someone clicking on a malware-infected link in an email, can all lead to an attack and, ultimately, a serious data breach. Add to that the increase in employees using personal storage devices \u2013 such as USB memory sticks, smart phones, and tablets \u2013 and the potential to remove or copy sensitive information outside the corporate network has become a growing risk. The proliferation of mobile and removable devices has blurred the corporate boundaries, but GDPR requires that organisations should be able to trace all personal data and understand where it resides and how it\u2019s used.<\/p>\n

Organisations will need to document exactly what data collected and how it is processed, stored, retrieved and deleted through its lifecycle to pinpoint where data may be unprotected and\/or at risk. Currently, however, 38 percent of surveyed organisations believe they have no control over where company data goes and where it is stored. This suggests a lack of policy and control over their data.<\/p>\n

Policy and Education<\/strong><\/p>\n

The pivotal component of any organisation\u2019s GDPR compliance framework is employee awareness and education. Employees at all levels must understand the critical importance of their organisation\u2019s data and the need to comply with corporate security policy. Increased training and testing is key in educating employees about their responsibilities and their role in protecting sensitive information.\"\"<\/a><\/p>\n

First of all, appropriate policies should be created and enforced. However, if employees do not recognise and understand the legislation and its consequences, the likelihood is that failings will ensue.<\/p>\n

Corporate processes and policies aren\u2019t always easy to implement and follow, and it\u2019s impossible to secure against all lines of attack. Policies can be ignored, and advice disregarded, but with the right technology and education in place, businesses can reduce the potential impact and minimise the risks.<\/p>\n

As part of the new GDPR requirements, organisations must demonstrate that authorisation and access to certain intellectual data and sensitive information is limited. They must be able to demonstrate who has access to information and the reasons why, whilst considering how data is protected outside of their central systems, both on the move and at rest.<\/p>\n

To avoid the potential for human error when data is being transferred outside of the network or between systems, organisations need to research, identify and mandate a corporate-standard encrypted mobile storage device. In addition, the use of the device should be enforced across the organisation through policies \u2013 such as locking down USB ports so they can accept only approved devices. These processes will then enable organisations to identify shortcomings in their technologies and policies and provides a simple step toward GDPR compliance.\"\"<\/a><\/p>\n

In fact, an organisation\u2019s biggest liability within GDPR is at the point of breach and deploying encryption for mobile devices is a simple and quick win.\u00a0 GDPR is generally non-prescriptive in terms of technology and the implementation of processes, policies and procedures is left to each business.\u00a0 However, Article 32 requires \u201cthe pseudonymisation and encryption of personal data”.\u00a0 Article 34 notes that, in the event of a breach if the data involved is encrypted, there isn\u2019t a requirement to contact each individual affected, thereby avoiding the resultant administrative costs.<\/p>\n

Human error is one threat to non-compliance, but GDPR imposes many different standards for data protection and it is an organisation\u2019s responsibility to demonstrate how they are complying with each of the principles.<\/p>\n

Among other action points, organisations should prioritise the following in their strategy:<\/p>\n