The last thing you or the ICO want to happen is a data breach. Data security is at the heart of GDPR and this new regulation is actually here to make the world a more secure place online and offline. It is a huge step in the right direction for data security however demanding it may seem!
There’s a duty on all organisations to report certain types of data breaches to the UK authority, the Information Commissioner's Office (ICO), and in some cases to the individuals involved. A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data constitutes a personal data breach. So more than just losing personal data.
72 hour limit
You will only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. For example if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant social or economic disadvantage. If a breach is high risk you must notify individuals concerned directly. A notifiable breach must be reported within 72 hours of becoming aware otherwise failure can result in a significant fine of up to 4% of your business’s global annual turnover or 20 million euro’s, whichever is greater.
You need to know if you have the relevant detection networks to know if someone's hacked into your data. Do you have sufficient database protection technology on top of user id and password breach detection technology. If you don’t, authorities are going to say you’re not ready for GDPR, and this can get you in trouble if investigated.
The reason being is to demonstrate accountability. Logging incidents and logging trends will help put safeguards in place for prevention. If an employee sends an email to the wrong person that includes personal details, that is technically a “data breach”, you must log it and deal with it accordingly with justified actions.
Secure your admin page!
Admin pages are one of the most targeted and hacked pages when it comes to website security. Make sure your passwords are secure and stored securely. Consider adding two-factor authentication security to your admin login. Two-factor is where you are sent a code to your mobile phone which you enter when you are trying to log in. Although it may seem a hassle, the benefit of having a secure admin page and not being hacked far outweighs the damage and costs that a hack can create.
One easy way to make your website more secure, if not done already, is through an SSL certificate. SSL stands for Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates provide secure, encrypted communications between a website and an internet browser. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. Encrypting data submitted through enquiry forms and important data entry forms on your website is essential these days and HTTPS is an easy way to implement what’s called ‘encryption at transit’, transit being the data moving one place to another. The other encryption you should have implemented is ‘encryption at rest’, this is encrypting data stored where it is stored. Both should be implemented to ensure adequate protection and secure data.
From October 2017, Google Chrome will display any HTTP web pages (those without an SSL certificate) that contain text input fields such as contact forms, search bars, login panels etc. as “Not Secure” in the address bar. Something visitors to your site will look out for and leave your site if seen.
Data protection by education
Over 90% of data breaches are perpetrated by a business's staff members! You have to educate staff on GDPR and what is classified as a breach. If someone sends an email to the wrong person containing personal data, that’s a breach. If someone stores personal data on their work laptop which doesn’t contain sufficient security software and the data is stolen or hacked, that’s a breach.
“Over 90% of data breaches are perpetrated by a business's staff members!”
GDPR is a business-wide operation and obligation, and it’s not a tick-box scenario that many people see security as. With each new project, campaign or technology for example, if it will be dealing with personal data, it must be handled in a GDPR compliant manner with the appropriate measures undertaken. Therefore it’s an ongoing process that is ever-evolving with your business. It’s not the same as installing one piece of security software until the next comes out. Educating your staff is one of the best security measures you can take, and is the best prevention to data breaches and getting a damaging fine.
For more crucial insights into GDPR and preparing for 25th May 2018, read another from SOZO’s GDPR Blog:
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO - https://ico.org.uk/)