GDPR actions For Business Leaders

General Data Protection Regulations For Business Leaders

The biggest vulnerability in any business are the employees followed by IT than the business processes and procedures. Although technology can help block 95% of all malicious emails and web links, those 5% that get through can do a lot of damage. This is where we come in.

First of all, Don’t Panic then read through this summary:

1) What is GDPR: 

A tough new personal data law comes into effect on 28th May 2018 which is designed to allow individuals better control of their personal data with the potential for large fines for compliance and/or data breach failures.

2) What does it mean to my business: 

You need to be able to demonstrate you have the controls, processes and procedures around the following areas:

  • The types of data you have
  • Where that data resides and its life cycle
  • Who has access to it and is it Audited
  • Explicit consent needed
  • Right for personal data to be forgotten
  • Ability to identify and report a data breach (in 72 hrs)
  • Ongoing employee training
  • Appoint a Data Processing Officer (DPO)

3) Do I need a DPO: 

You may need a DPO if your core activities involve special categories of data (see GDPR Article 9(1) or you manage large amounts of personal data.   

If you do not need a DPO, you may still need to make sure you have a good Data Policy addressing all the points above. Think of it as a spring clean of your data and could allow you to turn this new data focus into an opportunity for your business!

4) Firstly:

  1. Research GDPR for yourself (SMB GDPR summary here
  2. Identify key people in your organisation (HR, Finance, IT) 
  3. Add GDPR as a board agenda item if not already 
  4. Identify Vulnerabilities
    – Cyber Security Check list (Vulnerability overview)
    – Cyber Essentials Check list (Industry based cyber security level)
    – Network Scan (Covers Risk, Network, Site, Asset, Backup)
    – Security Scan (Covers Risk, Policy, Permissions, User Login)
    – Apply IT recommendations from above
    – Apply Process recommendations from above   
  5. Ongoing
    – Regular Network & Security Scans & patch management
    – System and workstation monitoring
    – Ongoing cyber security user training 

It’s important to make sure there is clear and open communication between all key business sponsors, such as HR, Finance and Legal with the full support of the board.

“When you consider that employees are 6x more likely to open a phishing email than a marketing email, you can understand why it’s important to make sure your Data/Cyber Protection message and training is as simple and uncomplicated as possible.”
– Sophos

If you’re concerned about the what GDPR means to you, I would be happy to have a brief call with you to cover the basics.  

Contact us on 023 92 482556

3 Examples of data security policies from Sophos to give you an idea of what’s involved:  Sample Data Security Policies, please click here.       

Warm regards                 

Matthew