There are lots of distractions for businesses in the UK at the moment that come with the snap election and leaving the EU, but one thing is certain- GDPR. Time is ticking towards the May 2018 deadline for compliance and whether Brexit happens or not, the signs from the Information Commissioners Office are that even if GDPR doesn’t apply in the UK, there will be something equally as robust. In addition, firms that are processing the information of EU nationals or trading across the EU must abide by the rules of GDPR.
The sanctions for non-compliance have the scope to be harsh, with potential to seriously damage an organisation’s finances. Individuals may be held accountable, and fines can be up to 20million Euros or 4% of global turnover could actually sink a less than robust business.
Every organisation processing personal data must be able to demonstrate that they have taken all necessary steps to safeguard against loss, theft and unauthorised access. If the inevitable does happen and data is breached, the organisation should be able to detect it swiftly and to report it to regulators within 72 hours.
We are pleased to say that RFA is fully certified as part of the IASME governance standard, which demonstrates that we have a robust governance system and can adequately protect personal data, and data belonging to our clients. We have an extensive risk strategy, staff training policy, the right security hardware and software infrastructure in place and a well-trained cyber incident response team, with a plan that has been tested time and time again, to ensure it continues to work and meet our needs. In short, we practice what we preach to our customers, and we ensure that our customers data is housed safely and securely in our GDPR compliance data centres.
For smaller organisations out there it can feel like a huge burden, but there are a few foolproof steps that you can take to maximise your compliance:
- Certification to Cyber Essentials is a great first step and can mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber-attacks.
- Your firm could certify to the IASME governance standard, to show that your organisation has a wider system for protecting personal data.
- You can run an audit to ensure that all systems handling your customer’s personal data on your behalf are compliant. Individual accountability could mean that ignorance is not an option if one of your systems is not compliant.
- Put systems in place to facilitate speedy responses to subject access requests.
- Larger firms should employ a Data Protection Officer to ensure that systems are in place to monitor the processing of personal data.
Lastly, embed data protection and cybersecurity into the fabric of the business. Include it in employee induction training, refresh employees regularly, and keep it on the agenda at board meetings. If there isn’t a Data Protection Officer in post to blame, you might find that the natural culprit for any data breach is the IT department. Make sure to partner with a knowledgeable and certified provider, like RFA, to help you achieve compliance.