Following on from our recent article ‘Don’t be Spooked by GDPR!’, in which we encouraged you to
1. Be Aware and 2. Prepare for GDPR, here we tell you about the next step in the process of becoming GDPR compliant.
3. Protect
Once you know where you hold personal data, you need to be sure it is well-protected.
Any unsecured systems could risk the loss of data which could result in heavy fines, damage to brand reputation and lost revenue.
Just to make you aware, the penalties for failure to comply could be up to €20m or 4{0e97e938a18f3bbe1f02ffd98cdd9acac84900d7d8571f1bd12e03efd4c12448} of total worldwide turnover, whichever is higher.
It is therefore important to evaluate whether the right technologies and processes are in place to help you control access to your data systems, protect your IT systems from attack and keep data from falling into the wrong hands. If the worst happened and there was a breach of security, are you then able to render the data unusable?
Encryption is encouraged by the GDPR as it’s the easiest and safest way to secure data. Article 30 of the Regulation requires that organisations need records and proof that their systems are secure and that encrypted data is recoverable after a technical incident.
To further demonstrate compliance, it is recommended that businesses should have comprehensive data protection policies for the internal handling of data; up-to-date employment contracts and privacy policies for staff and, where appropriate, the public; impact assessments and a ‘subject access response’ which outlines how individuals can access their own data. Effective disaster recovery plans, password recovery and key management systems should also be in place.
The Information Commissioner’s Office (ICO) gives lots of useful information about GDPR, as well as guidance on policies and impact assessments which can help you establish what the risks are to your business, how the risks can be minimised and when they are heightened by a change in business practice. It is worth familiarising yourself with these impact assessments as there will be a requirement to conduct them regularly.
Again, this may all seem quite daunting and there is no doubt a lot of work to be done, but be assured that VCI Systems can help you with the technical elements of your GDPR compliance.
If you would like to talk through any specific points above or would like any technical advice, please do call us on 0118 976 7111.