The EU’s General Data Protection Regulation (GDPR) came into effect in May 2018. Regardless of the UK’s departure from the European Union, the GDPR must still be respected by organisations dealing with EU citizens. The law also essentially applies to UK citizens, because the UK has adopted the same legal standards internally post-Brexit. To avoid potential fines of tens of millions of Euros, companies must understand the relevant data protection legislation and ensure they have appropriate measures in place. Northdoor can help, providing step-by-step reviews of your existing systems and practices, recommendations for future approaches, and an integrated set of proven tools for gaining and maintaining control over all relevant data throughout your organisation.
Data protection legislation in the UK and EU defines personal data as any information relating to an identified or identifiable natural person – this broad definition means that organisations must carefully review and classify all of the data they hold. Among the provisions are:
- The right for citizens to access, correct, transfer or delete their personal information held within any company’s systems
- The need for citizens to give explicit consent for their data to be held, and for companies to store this consent
- The requirement for companies to notify data authorities and consumers within 72 hours of any breach in security around their data
- The enforcement of fines of up to 4 percent of global annual turnover (or €20 million, whichever is higher) for serious violations.
If your business offers goods or services within the UK and/or the EU, or otherwise monitors the behaviour of individuals who are UK and/or EU citizens (for example, by using online cookies), you will need to achieve and maintain compliance with UK data protection regulations and/or the GDPR .
In the most simplistic terms, the key implication is that your business must fully understand what personal data it holds, where this data is stored and who has access to it, throughout the full information lifecycle. Beyond this, you will need to have clear organisation-wide data-protection policies, set up rigorous governance schemes, maintain auditable records, design and perform annual data protection impact assessments, and ensure that your business partners are also in compliance. Last but not least, you must gain the ability to rapidly detect and report on data breaches, and to find, modify or remove personal data on request and within prescribed time limits.
The stakes are high, and in most organisations the size and diversity of existing data stores makes the challenge a daunting one. The good news is that Northdoor’s Protect IT security practice has an established set of reviews and recommendations to help you achieve and maintain compliance. Our focus is on delivering the best toolsets to help you reliably discover, classify, protect and govern data over time, regardless of where or how it is stored across your local or cloud infrastructure. Crucially, our approach is built on automation, integration and continuous monitoring, so compliance can be accomplished smoothly, rapidly, auditably and without the need to employ armies of administrators.
The average UK organisation suffers 3.9 breaches per year (only 45% of which are actually recognised).
£2.37m is the average total cost of a data breach
87% of security spend is on network perimeter security, yet 86% of breaches are internal
49% of incidents involve a malicious or criminal attack
(Source: 2015 Cost of Data Breach Study: United Kingdom, IBM and Ponemon Institute.)