From May 25th, a new law will have huge consequences for companies failing to protect personal data. The General Data Protection Regulation (GDPR) will be the biggest shake-up in data privacy in 20 years.
Last month we learned that the political consultancy Cambridge Analytica used data harvested from millions of Facebook users without their consent. It has been another wake-up call for data security. Personal data is not just valuable to yourself, but hugely valuable to others.
Finally, there is a law on data protection that is about to catch up with technological changes. The GDPR seeks to put power back in the hands of individuals by forcing those who process our data to be both more transparent about their processing activities and responsiveness to demands for privacy-invasive processing.
Among the many changes are measures that make it:
- Quicker and cheaper to find out what data an organization holds on you.
- Mandatory to report data security breaches to the information commissioner.
All organizations will have to review their systems and the way people work. And they should focus on technical security, including the use of encryption and the robust application of security patches.
Ensuring that employees are aware of security risks will also be a priority. Because the rise of popularity of bringing your own device to work (BYOD) and memory sticks poses particular risks. A failure to ensure that such devices are encrypted can immediately expose organizations to a fine.
It has long been unlawful for email marketing to be sent without our consent. But GDPR significantly tightens up the rules. Consent must be freely given, specific, informed and unambiguous. It is not allowed to be buried in lengthy terms and conditions.
That makes it much harder for marketers to establish that they have the requisite permissions, which is why your inbox has probably been littered recently with emails asking for your consent to continue receiving messages. And, it must be as easy to withdraw consent as it is to give it.
Most public authorities and organizations that monitor and track behaviour must appoint a data protection officer. DPOs’ duties will include monitoring compliance with the law, training staff and conducting internal audits.
They will also be the first point of contact for supervisory authorities and for individuals whose data is processed, including customers and employees. They must be given the resources to do their job and must have direct access to the highest level of management.
Another possibility is to use the help of a Virtual CISO (Chief Information Security Officer). This virtual CISO will take responsibility for the growth of the information security program. But most of all a virtual CISO is an effective and low-cost solution for companies looking for an alternative to a full-time employee.
Companies will be obligated to clearly inform individuals about why they are collecting their personal data, how it is going to be used and with whom it is going to be shared. All of which means that the GDPR should make our personal data safer and less easily obtained by those we don’t want to have it.
Read more about our Virtual CISO service and how your company could benefit from it.