GDPR has now been in force for over two months and has brought with it a whole new approach to data privacy. Although the idea of protecting peoples’ personal data is not a new one, GDPR marks a complete step change in data governance.
It requires that data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The last bullet point is arguably the most important for organisations as breaches of personal data security that would have cost an organisation £100k might now end up costing many millions if businesses don’t comply and prove that they are doing so. C-level executives and those with system responsibility, particularly in this age of The Cloud, would probably consider this the most challenging aspect.
While GDPR should certainly be welcomed, from both a data privacy and cyber security point of view, it is vital that businesses do not become complacent. Although GDPR does include an element of security, there are still many areas it does not address, which can leave organisations open to threat.
Unfortunately, cyber threats are constantly changing and evolving, so any organisation which thinks it can rest on its laurels post GDPR compliance is in for a shock.
So, what are the key areas that need to be considered above and beyond GDPR processes?
Bring Your Own Device (BYOD)
The use of personal smartphones, tablets and laptops to carry out business does increase the risk of data loss – either through human error or by providing a way in for cyber criminals.
Cloud computing is convenient, increasingly popular, and is generally considered to be secure. However, this is not always the case. As both public and private clouds are essentially centralised systems with just one point of vulnerability, it is relatively easy for someone to ‘leave the door open’ either through incompetence or maliciously.
Voice and video
Many organisations also fail to consider how telecoms, and increasingly, video factor into their overarching cyber-security strategy. Of course, it is essential for any business to have effective communications, from informal conversations between colleagues, to confidential client discussions. However, voice and video are just as susceptible to hacks as other systems.
All too often, people are the weak link in the security chain. This is not always malicious, but human error is a huge cause of cyber attacks and data breaches. Huge issues can arise from something as simple as sending information to the wrong email address, losing a phone or laptop or using default passwords. Then there are also the situations where employees wilfully cause security attacks or leak data.
Fortunately, there are key steps that organisations can take to help ensure that cyber security and data privacy threats are mitigated.
Digital security and privacy should be an automatic right for businesses, yet sadly they are not. However, there are ways for organisations to make a stand and take back control, allowing them to enjoy a private and secure digital life.
Solutions – such as Siccura – which is coming soon, will enable businesses to control all data through a centralised administration system, synchronise all business email accounts, track all business communication and data and encrypt all files.
Covering all bases
As there are so many ways that attacks and breaches can occur, it is key for any comprehensive security strategy to take advantage of a solution that can cover not just email, but instant messages, SMS, voice and video calls, servers and any documents and files stored on cloud, local and removable storage, across a wide range of devices.
Not only this, organisations also need to consider whether they have the ability to take back, block access to and destroy data if necessary, for example if an employee leaves or if an employee’s phone, which they have been using to access company emails, is lost.
Keeping it simple
An organisation can implement the most robust security measures there are, but if they are not intuitive, simple and easy to use, employees will find ways to side step them, which defeats the object somewhat!
There is no escaping the fact that the way people work is changing and any draconian security measures that don’t enable flexible and agile working will not be effective. Leaders need to find solutions that can offer complete security, while also being easy and practical for all employees to use.
Cyber security and data privacy are big issues for businesses of all sizes, GDPR is certainly one way to help, but should only be seen as one tool in the fight against cyber threats.
About the Author
Ajit Patel is CEO of Siccura, a groundbreaking new solution, coming soon, which allows users to take back control of their digital privacy. Developed in response to the volume and vulnerability of digital data and communication shared every day, Siccura is a simple to use software solution for businesses, that puts users in total control of everything they send, share and store.