GDPR compliance will never be ‘job done’, writes Jon Fielding, pictured, managing director EMEA of Apricorn, an encrypted USB drive company. He covers what every firm must do to maintain compliance.
Over a year has passed since the deadline for compliance with the new General Data Protection Regulation (GDPR), and organisations have been warned repeatedly that compliance is not a one-off task. However, in Apricorn’s latest survey, around a quarter (24pc) of UK-based respondents who say their organisation is in compliance, believe they do not need to assign any further budget or resources to GDPR. This is a big decline from last year’s survey, where ninety eight percent of respondents who knew that GDPR applied to them, forecasted a need to assign further budget and resources after achieving compliance.
Why the appearance of complacency in 2019?
One possibility is this could just be a misunderstanding — perhaps with reference to the potential situation post-Brexit. However, although the GDPR originated as an EU directive, many of its requirements will likely continue for the foreseeable future in UK law — perhaps even under a ‘no-deal’ scenario on October 31. In any case, as with the situation in the US, any company which handles EU citizen data will still have to comply with GDPR. The regulation adopts a proactive stance to data protection in that it allows for organisations to be audited to check they are in compliance and, in the event they are not, will apply and monitor remedial action. As such, businesses should ensure that compliance remains a continual process.
Businesses must take a responsible attitude to the collection, storage, and processing of that data and continually test against GDPR compliance. The good news is that two thirds (66%) of respondents in the research now hardware-encrypt all information as standard — up from just half in the survey last year – demonstrating that encryption is a critical element within GDPR compliance and the protection of sensitive data. Encryption, encouragingly, is specifically recommended in GDPR Article 32 to protect personal data, as well as in Article 34, which details the reduction in obligation for those who have suffered a breach where the data in question is encrypted. Despite this, Apricorn’s 2019 survey saw over a quarter (27pc) of respondents acknowledge a lack of encryption as one of the main causes of a data breach.
What organisations must do
The survey found that respondents are allocating, on average, just under a third (30pc) of their IT budget to GDPR compliance, with 86 per cent of companies also confirming that the C-suite now owns the security budget, meaning GDPR is now very much a board level topic. This demonstrates that organisations are making progress, but there still seems to be a long way to go in terms of education and awareness.
The most common activities to maintain compliance are to continue to enforce and update all policies and invest in employee awareness on a regular basis. Every company should have, at the very least, the following key tasks on its ongoing action list:
– Update and enforce all policies put in place for GDPR – as part of this, organisations must also be able to prove this compliance if challenged in the event of a data breach.
– Invest in employee awareness on a regular basis is crucial. Worryingly, the survey also shows that trust in employees’ ability to keep data safe is declining.
– Continue to analyse all personal data that is collected, stored and processed, and understand where it is located and who has access to it. If the data is deemed irrelevant to the business, it should be deleted on an ongoing basis and the remainder tested in support of the new rights individuals have under GDPR.
– In addition, all data should be encrypted as standard. Encryption is a key component within the compliance ‘kit’, not only reducing the chance of a breach but mitigating the potential financial penalties. Organisations should research, identify and mandate corporate-standard encrypted devices and educate employees on their use to avoid the risk of a breach and being fined for non-compliance.
When this is done, it will remain important to continue investing in security technologies and having a dedicated GDPR team or expert to review security and data policies on an ongoing basis. Organisations must be mindful that complying with GDPR is not ‘job done’. Forgetting this will increase the probability of a breach, hefty financial penalties and reputational damage.
