While most have heard of the GDPR, it is all too easy for businesses to have an unintentional breach, and this can prove to be a costly mistake. What are the best steps to implement to meet the standards required for a GDPR audit?
What is the GDPR?
The GDPR (General Data Protection Regulation) was introduced in the EU on 25 May 2018. It aims to give EU citizens greater control over their personal data. It also ensures that businesses are held to a higher standard of accountability about storing and disposing of customer data.
The most obvious sign of the GDPR for users is the request for consent in using cookies on websites. The transit and storage of any data that is tied to individual users are subject to similar restrictions. This includes names, addresses, email addresses, IP addresses, and highly sensitive information like bank details.
What effects has the GDPR had on the business?
The regulation has required significant data handling changes for many businesses, and some are still not fully GDPR compliant. Fines for breaches, however, are significant. They can be very costly for businesses at up to 4% of annual turnover or €20 million, whichever is the greater. There is also a significant amount of reputational damage incurred for businesses that fail to meet their GDPR requirements.
There have been several high-profile cases of infringements, including well-known names like Ticketmaster and British Airways. In both these cases, fines were issued after they failed to notify users following data breaches. The penalties were severe, but just as problematic for businesses is the potential damage to consumer trust. With an ever-increasing emphasis on data, users rightly have concerns about who has access to their information. They will always choose to do business with GDPR-compliant organizations they can trust.
What must businesses do to comply?
The first important consideration is to have full awareness of compliance responsibilities. Any modern business will have personal data on its customers, which will fall under the GDPR. From initial collection to transmission and storage and finally, to destruction, all personal data must be handled according to the GDPR.
Businesses should only store data that is relevant, and its collection must be transparent. Any information stored without the user’s consent is a serious breach of GDPR legislation. This consent has to be given in clear and explicit terms, rather than implicitly assumed, and it must be easy for users to revoke their consent if they wish.
Encryption is now vital for personal data at all stages of its journey. This is especially important given the extent to which the cloud is now used to process and store data. Data must be encrypted immediately on the collection so that its initial transmission from source to storage is only through secure channels. This is known as “in-transit encryption.”
Equally important is “at-rest encryption,” which covers the security of data as it is stored. This applies both to the client-side and server-side storage. No user without proper authorization should be able to access the data. This also implies that it cannot be sold or passed on to third parties without the original user’s consent.
These encryption and security requirements apply equally to the employment of third-party companies used for data storage. Your business can be held responsible for data breaches by a third-party regarding customer data you collected originally.
The most sensible approach overall is to run your operations with a security-first ethos. This means it is not sufficient to delegate GDPR concerns to the IT department. Of course, they will have a vital role in your compliance picture, but the issues are not merely technical. Virtually every department will be involved in handling data at some point and must be aware of the need to put data security at the forefront of all operations.
The importance of data disposal
As well as the regulations concerning data gathering, there are also requirements for the proper disposal of data. There are three main circumstances where the correct destruction of data needs to be considered.
- When it is no longer useful, under the GDPR, data no longer required for its original purpose should be disposed of.
- Under the GDPR, individual users have a right to withdraw their consent to retain their data.
- Where hardware becomes obsolete, any data stored there is at risk of exposure. Therefore, proper hardware disposal and e recycling procedures need to be followed.
In all cases, it is vital to consider where duplicates of records may be stored: locally, on servers, in the cloud, and on backup media. Physical copies of data, such as paper printouts, also need to be considered. Data disposal should have an audit trail. In many cases, it is wise to use a third-party specialist for such processes. You need to ensure they have the appropriate accreditation.
The GDPR introduces several requirements for correct data handling, as well as strict penalties for their breaches. However, with active monitoring, these are not insurmountable. Audits may then be successful, and the reputation of any business benefits from adherence.
Author Bio: This article was written by Opal-Dawn Martin, Compliance Manager at Wisetek, specializing in GDPR compliance regarding Data Destruction and ITAD.