The furore around GDPR implementation has died down and that’s a good thing says Natasha Bougard of TSG, because for engineers it will be an ongoing task rather than a fixed deadline...
The General Data Protection Regulation (GDPR) hit the headlines non-stop since it was first announced two years ago, thanks to the huge fines attached to non-compliance, but there’s been little in the way of guidance. The good news is that compliance is more of an ongoing journey than a task that could be marked as having been completed on 25 May 2018.
For the engineering sector, the most important aspect of GDPR is the notion of privacy by design. This means data protection and privacy must take centre stage at the beginning of any new project. Security and compliance must be paramount to any new systems or functionalities that process data. Beyond this are five key areas you should focus on:
Building your walls of defence
The data that’s applicable under GDPR is Personally Identifiable Information (PII), which can range from names, telephone numbers and email addresses to credit card numbers and even CCTV footage.
Many businesses that don’t store customers’ personal information make the mistake of thinking this doesn’t apply to them; however, all hold employee information. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.
Rendering data unintelligible to thieves
The best method is a multi-layered approach. Encryption should be top of your list - not only is it a robust way to keep your data inaccessible to cyber criminals, it’s recommended throughout the full GDPR documentation. Should any PII data you hold fall into the wrong hands it will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the protection most suited to your needs.
Reviewing your policies and processes
Simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment, should you prove you put in place measures
Complying with individual requests
Individuals can request access to the data you hold on them, verify that you’re processing it legally and in some cases, request erasure of their data – the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found at the Information Commissioner’s Office Guide.
Acting fast on breaches
Whilst businesses are most fearful of experiencing a data leak, not reporting it to the ICO could be considered a bigger infraction than the breach itself. Businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. Failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself.
Finally…don’t panic. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.