What General Data Protection Regulation (GDPR) means for UK small businesses?

What General Data Protection Regulation (GDPR) means for UK small businesses?

The General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA) in May 2018. It provides a new data protection framework to cover the collection, processing and protection of personal data on EU citizens and will have an impact on all business.

Why does the Data Protection Act (DPA) need to be replaced?

The DPA was implemented in the 1990’s when there was no social media or cloud computing. It does not reflect how we now live and do business; we need better ways to protect and use personal data. The good news is that many of the concepts and principles are much the same as those in the DPA, so if you are complying now then most of your approach remains valid.

Does BREXIT make a difference?

No, the UK Government have confirmed that GDPR will be implemented in May 2018. The Information Commissioner has said “There may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018”

What is meant by personal data?

The definition of personal data is much wider than under the DPA. It includes online identifiers, such as the id of your mobile phone while you browse the internet, along with HR, customer and supplier records. There is no distinction between personal data of a business contact and that of a client or customer, and it covers electronic and paper records with personal details.

What happens if I do nothing?

You could be fined. The GDPR says fines should be “effective, proportionate and dissuasive” and can be issued for a data breach or failure to show compliance. The fines can be up to €20m or 4% of global turnover (whichever is the higher) depending on the scale of the issue.

Is this really just an IT issue?

No, but having robust IT systems will be essential to being compliant. The GDPR references the need for “…appropriate technical and organisational measures be taken” 10 times. You need to have processes and procedures in place to deal with issues such as removing personal data when it is no longer required, or someone has asked for their data to be removed, and data protection requirements are always considered when updating a process or system that uses personal data.

What about “Consent” to contact someone?

This could be a big change for some businesses. You will generally need to have records that someone has given “unambiguous” consent for you to contact them. The use of “opt out” boxes to indicate consent is not permitted. For business contacts, marketing emails may be allowed without seeking permission provided the contact details be obtained during the course “a sale of a product or a service”.

What do I need to do?

First find out more about the GDPR principals so you can understand the impact it will have on your business. After this, you should do an audit of all your personal data and determine where you already meet the GDPR principals and where changes are required to processes, procedures and IT.

About the Author: Ian Grey is an Information and Cyber Security Consultant at Wadiff Consulting

7 security risks from consumer-grade file sync services

7 security risks from consumer-grade file sync services

Love it or hate it, the Cloud is now ever-present in corporate life. It is now commonplace for businesses, big or small to access cloud services in some form or other as part of their day-to-day business operations. It has also been widely documented that the use of these services has enabled departments to address certain situations or deliver solutions without ever involving the IT department or gaining sign-off from Finance. Company data is now more at risk than it ever was.

Consumer-grade file sync solutions (referred to as CGFS solutions) similar to Dropbox pose many challenges to businesses that care about control and visibility over company data. Below are seven of the biggest risks that these solutions pose in a business environment.

1. Data theft

Most of the problems with CGFS solutions emanate from a lack of oversight. Business owners are not privy to when an instance is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of CFGS solutions can open the door to company data being synced (without approval) across personal devices. These personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increase the chance of data being stolen or shared with the wrong parties.

2. Data loss

Lacking visibility over the movement of files or file versions across end-points, CFGS solutions improperly backup (or do not backup at all) files that were modified on an employee device. If an end-point is compromised or lost, this lack of visibility can result in the inability to restore the most current version of a file or any version for that matter.

3. Corrupted data

In a study by CERN, silent data corruption was observed in 1 out of every 1500 files. While many businesses trust their cloud solution providers to make sure that stored data maintains its integrity year after year, most CGFS solutions don’t implement data integrity assurance systems to ensure that any bit-rot or corrupted data is replaced with a redundant copy of the original.

4. Lawsuits

CGFS solutions give carte blanche power to end-users over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information that can break privacy agreements in place with clients and third-parties.

5. Compliance violations

Since CGFS solutions have loose (or non-existent) file retention and file access controls, you could be setting yourself up for a compliance violation. Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict controls over how long files are kept and who can access them.

6. Loss of accountability

Without detailed reports and alerts over system-level activity, CGFS solutions can result in loss of accountability over changes to user accounts, organisations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone if no alerting system is in place to notify other admins of these changes.

7. Loss of file access

Consumer-grade solutions don’t track which users and machines touched a file and at which times. This can be a big problem if you’re trying to determine the events leading up to a file’s creation, modification, or deletion. Additionally, many solutions track and associate a small set of file events which can result in a broken access trail if a file is renamed, for example.

In summary, consumer-grade file sync solutions pose many challenges to businesses that care about control and visibility over company data. Allowing employees to utilise CFGS solutions can lead to massive data leaks and security breaches.

Many companies have formal policies or discourage employees from using their own accounts. But while blacklisting common CFGS solutions may curtail the security risks in the short term, employees will ultimately find ways to get around company firewalls.

The best way for business to handle this is to deploy a company-approved application that will allow IT to control the data, yet grants employees the access and functionality they feel they need to be productive.

Contact our Cloud specialists to gain a better understanding of how you can boost your employee’s productivity without risking the security of your company data.

We’re to help