We’ve all seen the news. The numerous cyber-attacks and security incidents at organisations around the world have propelled data protection to the top of board agendas everywhere.
GDPR is a result of these incidents but also changes in technology, the way we interact and the vast quantities of data created every second of every day. Existing data protection laws pre-date the internet and just don’t relate to our connected world today.
GDPR is focused on data which identifies us as individuals and seeks to protect us. It won’t stop covert tracking online, profiling and cold calling, but it will make sure they are done transparently, putting us in control of our information.
Of course, there’s always going to be an element of human error, so GDPR won’t stop all breaches. It will however help you identify where your businesses might be attacked, highlight improvement opportunities and address vulnerabilities proactively rather than reactively.
The reality is GDPR will impact all businesses. Whether you are a small trader or large global operator, everyone needs to be prepared. And there are some pretty hefty fines for any businesses that don’t comply – up to 20m Euros or 4% of your global annual turnover, whichever is higher.
Earlier this year I spoke alongside the Information Commissioner’s Office (ICO) at GDPR – Making it real, the BCS Chartered Institute for IT’s national event, and presented on the legal implications for businesses. The ICO website should be the starting point for information for all businesses on GDPR. It has lots of accessible guides and a blog about GDPR.
Lots of businesses don’t know where to start with GDPR compliance.
My top tip? Data mapping.
The first thing that any business should do in preparation for GDPR is map the flow of personal data through its organisation, from collection to destruction. The data map will need to be constantly updated to reflect changes within organisations and all data processes, procedures and policies will be based on this.
While there is much to consider, it is important to remember that GDPR isn’t just about protecting data. It is about protecting your business too.