Privacy, rights, fines, compliance, data subjects… these are just a few of the buzz words associated with the GDPR that will apply from 25th May this year. If you’re unsure what this means for you and your business, and don’t know where to start, you’re certainly not alone, but with only three months to go, you need to act quickly to ensure your company is GDPR compliant.
Your personal data is at risk
To put into context just how at risk we all are as individuals, here’s an example of how an email address (whether yours or possibly one of your clients), when in the wrong hands can result in a loan being taken out in that name.
When sat in front of a computer your email address identifies your name, and with that, an attacker can find all of your public and private social media accounts. This provides access to endless amounts of data about you – friends, colleagues, likes, dislikes, political opinion, holidays, names of your loved ones, any pets, which watch you have, your mobile phone make, your car, and so on – it can all be identified.
With this information your full UK postal address can be identified with very little effort and cost. And now the real fun can begin. The information gathered from publicly available sources can be used to perform a targeted dark web search. Such a search can uncover valid bank account and credit card details – providing enough information to apply for a loan.
What does all of this have to do with the GDPR?
The new Government regulation puts individuals back in control of their data and makes companies accountable for any negligence or lack of security surrounding that data. This will therefore force companies to be more transparent in terms of how they handle, protect, share and use personal data, as those who don’t comply will face astronomical fines. So although the GDPR won’t actually stop personal data getting into the wrong hands, it will mean that personal data accessible in the public domain will be significantly better protected.
Until now fines from regulatory bodies and governance have not carried enough weight when compared to investing in policies, procedures and IT security, but the GDPR changes all this. Non-compliant companies will face substantially larger fines of up to €20 million or 4% of annual turnover of the previous year, whichever is greater. That said, this new regulation isn’t just aimed at large companies, but SMEs too, so whatever your business turnover and whichever industry you operate in, don’t let your company be an easy target, make sure you are GDPR compliant or you’ll have to pay the consequences, literally.
To put this into perspective, if the GDPR was in place prior to the Equifax data breach last summer, putting aside litigation from individuals and other organisations, Equifax would have faced a fine in excess of $60 million for its failure to protect their client data. And yet, if Equifax had had the appropriate policies, procedures and IT Security controls in place as mandated by the GDPR, this may well not have happened. Indeed, following the GDPR such data breeches should be far fewer and the chances of someone being able to easily access enough information to obtain a loan in another person’s name should dramatically decrease.
How will the GDPR affect you and your business?
As a GDPR Practitioner who has conducted dozens of audits and risk assessments for organisations against the GDPR legislation, I can confidently say that all organisations processing personal data, without exception, have risk when it comes to the GDPR. I therefore recommend you seek advice on the real impact the GDPR will have on you and your business. Regardless of whether you’re a business owner or a member of staff, the GDPR is designed to protect your data and the data of your client’s.