Cyber Security and GDPR

Posted by on Sep 29, 2017 in Business Regulation

Cyberman

So what is GDPR; well for a start it’s an acronym which stands for the General Data Protection Regulation, which is a piece of legislation being brought in by the EU w.e.f 25th May 2018.

When the EU GDPR comes into effect next year, it will set a new higher bar for security, privacy rights and compliance. It will apply to all organisations in the EU, including the UK government, who have already confirmed that GDPR will remain the UK data protection standard indefinitely following Brexit).

Keeping your clients’/customers’ information safe and secure is now one of the top priorities for all businesses except for the very smallest firms and all industries are at risk. In 2016 it was reported that there was a 22% increase in cyber-crime and it is increasing exponentially.

In fact, new research from leading market analysts, Juniper Research, showed that on current trends cyber-crime will cost businesses over $2trillion by 2019. The proof is out there on the ICO’s website and in the media: the NHS, TalkTalk and Netflix; all household names, have all fallen victim.

(The ICO or to give its full name, the Information Commissioner’s Office, is the UK’s independent authority set up to uphold information rights in the public interest).

    From a personal perspective, the new regulation will ensure:

  • Individuals’ control over all their personal data
  • Extra security and controls to protect data

And from a business perspective, it means more accountability of what we do with other people’s data, how we use it, interact with it and store it.

What are the penalties for non-compliance?

To ensure these updated regulations are taken seriously, penalties of up to £20million or 4% of a business’s annual turnover (whichever is higher) for non-compliance are being currently considered as the potential punishment at the discretion of the Elizabeth Denham, information commissioner for the ICO.

Ms Denham was named one of the most influential people in data driven business in 2017, and with those kinds of penalties in her back pocket, you can understand why. However, the Commissioner has stated that there has been a great deal of myths and misinformation in the media regarding GDPR, including one highly reputable news channel reporting fines of up to one billion pounds.

Ms Denham has made it clear that any fines under GDPR will only be applied when absolutely necessary; they will be proportionate to the offence and will only be applied as a last resort.

Which Business’s will be affected by GDPR?

As the new regulation comes into effect, organisations that obtain any data will be impacted – so pretty much everyone. In a recent survey, many firms agree that despite handling vast amounts of sensitive data daily as there is so much else going on, they perhaps do not think about the back-end system that is holding this data as much as they should, or even the process of how this data moves around and out of the business.

A lot of businesses, from multi-nationals to small high street retailers, are heavily reliant on their current systems having secure measures in place, but don’t know for sure whether they are running to a standard ready for 2018 or if their security measures are woefully out of date.

Another major consideration is firms using older, custom-built systems or applications running on old servers. Are they really fit for purpose? and I’m not just talking about GDPR, but also other aspects of cyber security threats to their businesses, such as phishing and hacking.

Is GDPR why You have to make changes?

Partly, but data security and cybercrime isn’t the only element that needs to be considered. Internal operations, PAYE and employee records for example also need to be covered. Royal & Sun Alliance Insurance was fined £150,000 in January 2017 for the theft of a hard drive, while many other companies in the finance sector have received six figure fines in the last two years for marketing activity that breaches the current data laws. As these laws become more stringent, the responsibility is on everyone, from communication with the public, to how staff manage the information they are exposed to.

Morpheus Matrix

Some of you may be thinking; surely, GDPR is just an updated version of the current Data Protection Act and if this is the case, then my firm doesn’t need to be making any changes? The first thing to understand here is the importance of why these changes have come about, and why they are happening now. Data has and is increasingly becoming a much higher class asset for firms worldwide and pervades almost everything we do.

What do You need to do to Comply with GDPR?

For a start you need to begin reviewing your privacy, data governance policies and procedures now, as well as your computer system and security software. Other steps in the right direction to compliance could include:

  1. Identify the data you hold on your clients, which could include things such as their contact details or their business bank account information
  2. Ask yourself: ‘Do I need to be holding this data? What am I using it for?’
  3. If any client data is passed on to third parties, such as an advertising agency, check whether their systems are robust enough, as it’ll be you in trouble if they’re not!
  4. Check your cyber protection methods and ensure you or your third-party providers have taken precautions such as installing encryption software on all laptops, PCs and electronic devices you and your staff use. Is all patching up to date on servers you hold on or off site?
  5. Appoint a data protection officer, or if you’re a small firm, do it yourself

By using the above as a starting point, you will be able to work out what steps you’ll need to take to be compliant, but don’t wait until the last minute to make changes. Elizabeth Denham certainly won’t be making excuses for anyone come May 2018.

Finally, if you’re a micro-business, such as a one man or woman firm, you make be tempted to think that GDPR doesn’t applies to you, but yes it does if you store any data on customers digitally.

Image of David Jones Shrewsbury Accountant and Founder of Morgan Jones

If you would like more detailed information on some aspect of UK Tax, send me an e-mail and I’ll be pleased to advise further.

Share