Data breaches continue to be a serious problem for business. According to UK government statistics, 46% of organizations experienced a security breach of some kind during 2017. And similar figures are recorded worldwide.

The reputational damage of these incidents is significant, driving customers away. And now the fines applicable under the GDPR make breaches even more costly. So how do you avoid data loss and theft in future?

1. Understand your responsibilities

It is impossible to define effective policies, procedures and safeguards if you do not fully understand your responsibilities under the GDPR. Your first step to avoiding breaches is to understand what constitutes a breach, and what your role in protecting data is.

The General Data Protection Regulation outlines your legal responsibilities – and the penalties for breaches. You can read the full regulation text on the official EUR-Lex website. If you need further advice, please get in touch and the Advantio team will assist.

2. Understand your data estate

As well as understanding your obligations, you also need to know what data you have, and your current level of GDPR compliance. To avoid breaches, you must be able to identify among other items:

  • The personal information you store
  • Where personally identifiable information is stored
  • The security provisions in place to protect that information

By knowing what you already have, you can more accurately plan improvements. The GDPR speaks in Article 30 about maintaining data records. A data processing inventory is a good place to start and we can help you with this.

3. Implement/update data protection policies and procedures

With the discovery audit complete, you must then develop policies and procedures to govern how information is collected, stored, processed and – eventually – deleted. You should also deploy and configure appropriate technical solutions to enforce these data protection policies wherever possible.

4. Train your people

Your employees have two roles under GDPR. First, they must ensure that all processing of personal data is carried out in accordance with data protection regulations. Second, they play an important part in helping to identify potential issues and preventing low-level data breaches.

You must provide sufficient, ongoing training to help employees understand these roles. The more skilled they are in detecting and preventing issues, the better your organization will be at avoiding GDPR breaches. Training goes beyond IT and legal teams. Any employee handling personal data should have the skills to handle it in a compliant manner (more here).

5. Review frequently

Cyberattack techniques continue to evolve, and your security provisions and policies need to keep pace with each development. You must regularly review your systems to ensure they remain compliant, and that you are deploying new security measures as they become available.

Like PCI DSS and other security standards, compliance is an ongoing process, not a single point-in-time event. You must schedule regular compliance checks and data audits to ensure you are properly protecting the personal data held by your business.

Preparation and vigilance are key

There are two key areas of focus for preventing GDPR breaches. First, you need to understand the information you hold and how it is protected. Second, you need to ensure that everyone in the business is following data protection policies and actively working to keep information safe and secure.

Start your GDPR compliance journey by downloading GDPR Mapping Questionnaire which outlines the questions you need to ask across your business. 

Download the GDPR Mapping Questionnaire

Andrea Raeli

Written by Andrea Raeli

I am the Advantio’s Managing Consultant and GDPR Practitioner in charge of exploring new markets, developing new offers and opportunities, ranging from PCI, to GDPR up to ISO 27001.

Grown up with Commodore VIC-20, Tapes and Floppy Disks, I've always been passionate about technology and everything that surrounds it. The way these evolves is like a never-ending marathon for me. Making Security accessible to everyone is what drives me to become a man of value.

Certifications: CISA / CISM / ISO27001 Lead Auditor/ PCI QSA