When the General Data Protection Regulation (GDPR) came into effect in May 2018, businesses from all sectors struggled to meet the deadline. According to our research announced around the same time, more than two thirds of companies were not confident of being fully compliant ahead of the GDPR deadline.
Businesses should not rest on their laurels – half of the organisations in our survey admitted they lacked the understanding of the data they collected and processed, making it their number one concern relating to non-compliance, and a quarter came forward and said they didn’t understand the new responsibilities that came with GDPR.
As we enter 2019, it’s the perfect time for organisations to start a fresh and get to grips with ensuring compliance and the security of their intellectual property. Many security companies will be taking this opportunity to crystal ball gaze and make their security predictions for the year ahead, but whatever the future holds, the questions we need to answer are the same: what are the security implications, and how do we manage them? Everyone has a view on this, but the overarching response should always be to revert to basic security best practice.
To avoid putting data at risk and ensure compliance this year, and every year, organisations should consider the following basic security principles:
- Organisations should review their existing security processes to better understand their current security posture against compliance guidelines and best practices, identifying the gaps and putting a plan in place to address these areas.
- Education and awareness programmes need to be created and run for all staff, temporary and permanent, and these must be regularly updated and tested.
- Employees should be clearly informed of the necessary password policies which should also be enforced at a technical level wherever possible.
- The encryption of data should be a key element of any security strategy. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data.
- Data should be encrypted at rest and in transit, especially for removable storage devices.
- Data taken beyond the corporate network should be done so on corporately approved, mobile storage devices featuring strong encryption, and non-sanctioned devices should be prohibited from working by end point control solutions.
- Organisations should also have a well-defined patching process in place to ensure all software and systems are updated regularly.
By reverting to the basics, businesses will be in good stead for meeting compliance regulations. They need not only focus on the fines they might receive, but how GDPR compliance could be a driver of increased customer trust and overall business growth. Forty four percent in our survey agreed that GDPR was a welcome opportunity to overhaul their organisation’s data handling and security processes and ninety eight percent of respondents recognised that they need to continue investment in policy, people and technology post the deadline. The task now is to maintain compliance and ensure best practice remains a priority. Achieving a sustainable security posture is an ongoing exercise.