On 25 May the General Data Protection Regulation (GDPR), will be enforced throughout the EU, including the UK, regardless of the country’s exit from the union in 2019.
This means that before the end of the month, companies, no matter how large or small, must be GDPR compliant, or risk the prospect of heavy penalties and fines.
How does a company become GDPR compliant?
Any company that collects or stores personal data must ensure that the data it holds is secure and managed in a professional manner.
Businesses that suffer breaches through poor security measures face tough financial penalties, which can include a fine of four per cent annual turnover, or €20-million, whichever is greater.
Overall, the purpose of GDPR is to give people more control over how organisations use their data, and to ensure that protection is as identical as possible throughout each country in the EU.
Here are a few steps towards becoming GDPR compliant:
Invest in a data protection officer
The first step that companies are advised to take is to hire or train a data protection officer so that businesses can adhere to the new regulation.
A data protection officer will usually have a combined legal and technology background so that they have a full understanding of the regulation, but each organisation is unique and an officer’s background can vary.
Create a data register
The next step that a business must take is to create a thorough record of the company’s data processes so that it can prove GDPR compliance to the Data Protection Association (DPA).
If a company encounters a data breach, the DPA will request to see the data register so that it can review how compliant the company has been towards its GDPR goals.
The more compliant it has been, the lesser the fine levied on them might be.
Classify data
All Personal Identifiable Information (PII) of EU citizens must be classified, so it is important that a business identifies where this information is stored, who has access to it, and who it is being share with.
It’s also important to realise which data is the most important so that contracts can be put into place for the most vital information that needs protecting.
Evaluate how data is protected
Once that you are able to identify which data needs protecting, you can start to understand how you can secure it.
There are a range of ways that a business can protect important data, including through encryption, tokenisation, or psuedonymisation.
Focus should also be put on where data is backed up, and whether this is on-site or on a cloud server.
As a caveat, it’s also worth remembering that data should be protected from the very first day that it is collected.
Ensure that your website is GDPR compliant
There are tens of thousands of ways that a website can be hacked or breached, so it is important to ensure that you employ the most robust security measures possible.
This is especially important if people are submitting data to your website, so you need to ensure that it is encrypted.
Ensure that your SSL certificate is up to date and make regular checks across your website to ensure that it has not been breached by hackers.
Google has a great article about how to check whether your website has been hacked or breached.
If you want to know more about website security, and how BurstingBox can help protect your website, call us on 01226 720 769, or check out our contact page.