Data breaches continue to be a serious problem for business. According to UK government statistics, 46% of organizations experienced a security breach of some kind during 2017. And similar figures are recorded worldwide.
The reputational damage of these incidents is significant, driving customers away. And now the fines applicable under the GDPR make breaches even more costly. So how do you avoid data loss and theft in future?
1. Understand your responsibilities
It is impossible to define effective policies, procedures and safeguards if you do not fully understand your responsibilities under the GDPR. Your first step to avoiding breaches is to understand what constitutes a breach, and what your role in protecting data is.
The General Data Protection Regulation outlines your legal responsibilities – and the penalties for breaches. You can read the full regulation text on the official EUR-Lex website. If you need further advice, please get in touch and the Advantio team will assist.
2. Understand your data estate
As well as understanding your obligations, you also need to know what data you have, and your current level of GDPR compliance. To avoid breaches, you must be able to identify among other items:
- The personal information you store
- Where personally identifiable information is stored
- The security provisions in place to protect that information
By knowing what you already have, you can more accurately plan improvements. The GDPR speaks in Article 30 about maintaining data records. A data processing inventory is a good place to start and we can help you with this.
3. Implement/update data protection policies and procedures
With the discovery audit complete, you must then develop policies and procedures to govern how information is collected, stored, processed and – eventually – deleted. You should also deploy and configure appropriate technical solutions to enforce these data protection policies wherever possible.
4. Train your people
Your employees have two roles under GDPR. First, they must ensure that all processing of personal data is carried out in accordance with data protection regulations. Second, they play an important part in helping to identify potential issues and preventing low-level data breaches.
You must provide sufficient, ongoing training to help employees understand these roles. The more skilled they are in detecting and preventing issues, the better your organization will be at avoiding GDPR breaches. Training goes beyond IT and legal teams. Any employee handling personal data should have the skills to handle it in a compliant manner (more here).
5. Review frequently
Cyberattack techniques continue to evolve, and your security provisions and policies need to keep pace with each development. You must regularly review your systems to ensure they remain compliant, and that you are deploying new security measures as they become available.
Like PCI DSS and other security standards, compliance is an ongoing process, not a single point-in-time event. You must schedule regular compliance checks and data audits to ensure you are properly protecting the personal data held by your business.
Preparation and vigilance are key
There are two key areas of focus for preventing GDPR breaches. First, you need to understand the information you hold and how it is protected. Second, you need to ensure that everyone in the business is following data protection policies and actively working to keep information safe and secure.
Start your GDPR compliance journey by downloading GDPR Mapping Questionnaire which outlines the questions you need to ask across your business.