GDPR (General data protection regulations) is the biggest change in data that there has ever been. Under new regulations businesses must change the way they look at and protect the data that they are responsible for. Ultimately failure to stick to the regulations that have been outlined will mean that not only is there reputational damage caused but also regulatory fines will be incurred for major data breaches.
GDPR – Understand Your Risks And Responsibilities
GDPR is designed to protect the data and information of EU citizens and to do this the regulations are there to enforce the way in which businesses process and store data. Under the new regulations businesses and organisations are designed to appoint a data protection officer. Their role will be to ensure that data is stored and processed in a way in which is most secure. They will also be given the task of supervising the compliance to GDPR.
GDPR – Replacing The Data Protection Act
GDPR is going to replace the existing data protection act. As times have changed and data is a much more profitable commodity to both businesses and cybercriminals. The biggest changes under GDPR will be the time that is allowed for your data controller to notify the local authority of a data breach. Under GDPR a data controller/ data protection officer has 72 hours to notify the local authority of the breach. The other major change to notify is that under GDPR the maximum fine for an organisation for lack of compliance that has led to a breach will be £20 million or 4% of annual worldwide turnover whichever is the greater amount.
* Data from Breach Level Index.
GDPR – How To Deal With A Data Breach
It is important that a business knows how to deal with a breach and understands the steps to eventually get back to the situation they were prior to the breach. Using these steps this can be possible;
- Identify the breach and take steps to end it.
- Check your insurance policy and notify your insurer.
- Identify the personal data breached – the type of data and number of records.
- Determine remediation measures.
- Notify the ICO without undue delay and in any event within 72 hours.
- Notify affected data subjects if the breach is likely to result in high risk to their rights and freedoms.
- Implement remediation measures and monitor.
- Review root causes of the breach and take steps to prevent repetition.
- Provide further training to staff as required.