The EU General Data Protection Regulation (GDPR) is coming - May 2018.
The EU General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive (DPD) and all EU member states’ national laws based on it – including the UK Data Protection Act 1998 – in May 2018.
All organisations – wherever they are in the world – that process or store the personally identifiable information (PII) of EU residents must comply with the Regulation. Plus all organisations will be legally required to report all security breaches to the Information Commissioners Office (ICO) within 72 hours of becoming aware, this even extends to them having to notify customers who are affected.
Alongside the tightened regulation comes potentially huge increases in the fines (£20m or 4% of turnover compared to the current £500,000) that may be levied on businesses who suffer any breach as a result of poor or inadequate data security. The government hopes that the scale of the potential fines will drive better security practices within the business community to ensure such data leaks like those experienced by Talk Talk never happen again.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is an attractive target for hackers and cyber criminals because it is easy to steal and it is easy to sell.
Protecting PII is a challenge for individuals and businesses alike. As individuals, we alone are to blame if we expose our own information to risk, but organisations have a far greater liability. Every organisation is built on people and processes, and ultimately it is responsible for the actions of its staff and the effectiveness of the processes that define how PII is protected.
A great deal of PII loss is the result of stolen or lost equipment, hard drives or documents. Repeated errors – such as sending information to the wrong recipients due to incorrect email addresses are common as are online data breaches and cyber-attacks.
How does this relate to you and Mirus?
Article 32 of the GDPR states that organisations shall implement appropriate measures to ensure a level of security appropriate to the risk, including among other things:
- Encryption of all personal data
- The ability to restore the availability and access to data in a timely manner in the event of an incident
- A process for regular testing, assessing and evaluating the effectiveness of technical measures to ensure security
Our technical division includes a highly skilled team of consultants and engineers capable of testing system encryption and defences for vulnerabilities and advise on appropriate mitigation measures to ensure you can protect your data.
Brexit and GDPR - what now?
Whilst Article 50 has been triggered by the UK government, the UK will still be a member of the EU by the time that the GDPR comes into force. Therefore on present information all businesses should assume that the regulation will come into force and should be adhered to.
Start planning now!
It's vital that you start planning now to ensure your business is working towards strong IT security. The first stage is to understand your current position and areas of exposure. Our audit will review internal and external security practices plus give you guidance and recommendations to ensure you maintain a strong barrier to the threats that exist.