GDPR Cyber Security and How It Might Impact Your Business
The European Union’s General Data Protection Regulation (GDPR), came into effect back in May 2018, but what does that mean for Australian businesses and cyber security?
What is GDPR?
First of all, what actually is GDPR? The GDPR is short for General Data Protection Regulation. It was brought in by the European Union on 25th May 2018. The regulations were created to give individuals more control over their personal data and to ensure businesses comply with how they handle personal customer data. This data could include name, address, IP address, phone number, email address or location data.
It is worth noting that an IP address or a transaction ID alone is not enough to identify an individual. However, if you only collect this information the rules are likely to still apply to you. While this data seems anonymous, if you were to cross-reference a transaction ID with your online store data, the individual could be identified. Therefore, the GDPR regulations will still apply, even though you may not be openly collecting personal information.
If you are collecting detailed personal information such as gender, biometrics, ethnicity, or personal data about children, then you will need to be extra careful when handling this data.
Is GDPR relevant to Australian businesses?
Even though you may not be a business in the EU, you may still have to comply with GDPR regulations.
Any business, no matter where you are in the world will need to comply with GDPR if they process any personal data from a person living in the EU. This could be a client, customer or even someone signing up to your online newsletter or visiting your website.
For Australian organisations it is likely that you will be dealing with customers or suppliers who are from the European Union. If this is the case, then GDPR regulations will apply to you.
The basic values or rules concerning GDPR is that you must tell the person that you are collecting their data, what specific data you are collecting and how you will use that data. You must have a lawful reason to collect someone’s data and only use the data for the reasons you have told them. You must get an individual’s consent before collecting any personal data from them.
For example, if someone is signing up to an email newsletter, you must include consent boxes for email marketing, if any future emails will be used to advertise or promote your business. If you state to the customer that by putting in their name and email, they will get some sort of ‘freebie’ or a monthly newsletter with tips for businesses, you cannot then use that email for advertising purposes, as that is not what the person signed up for. You will need a consent box that clearly states by adding their email, they may receive advertising and promotional emails. It is up to the individual to decide and if they do not want such emails, so you must only send emails for the reasons you have stated in the sign up form.
The data should be secured safely and not be held for any longer than need be. You should have a detailed privacy policy which is easy to read and understand, outlining what information you are collecting and what you are doing with it. You also need to state that you will delete all personal data upon an individual’s request.
GDPR cyber security
In terms of GDPR cyber security, you will need to ensure that personal data is processed and stored securely, in order to lower the risk of any data breaches. Not only does a major data breach hurt a company’s reputation, you may also be liable for a hefty fine (up to €20 million or 4% of worldwide yearly income), if you have not fully complied with GDPR regulations. This is enough for cyber security professionals to up their game and to ensure businesses have the best protection to prevent any data loss.
Organisations should make sure that only authorised staff can access any personal information from customers or suppliers. Limiting the amount of people who can access that data and ensuring only those who need the data for their jobs are allowed access, can help prevent accidental data breaches. Those employees who do have access to sensitive customer data should also have training on how to handle, store and send any data and to make sure it complies with your privacy policy.
Any data you collect that can be adnominalized or ‘Pseudonymised’ should be. This will make it harder to identify individuals. Whether you are the controller (the person who decides what data is collected and how) or the processer (the person collecting, storing, and organising the data), you are liable if any information is leaked. If you are working with a third-party processer, such as Mail Chimp for email marketing, then you should ensure they also are complying with GDPR regulations.
Data Loss Prevention (DLP) devices should be implemented to ensure that data is kept secure and personal information is not shared outside the company. In case of an unfortunate data breach, you must have an incident response plan already in place. This sets the groundwork for how you deal with a cyber attack, from identifying the attack and what data has been lost, to containing the attack, notifying the Data Protection Authority, and then recovering and learning from the incident.
For the best protection for GDPR cyber security, it is best to have a multi layered security solution. Firewalls will help prevent malicious software from entering or leaving your network, endpoint protection will help secure all devices (or entry points) into the network, VPN’s and other encryption tools will ensure data is kept secure and cloud security will protect data storage. Managing and monitoring threat detections is also key to preventing any attempted attacks early.
Risk assessment and vulnerability scans need to be performed to assess cyber security solutions and to make sure everything is working correctly.
If you are worried about GDPR cyber security, or would like advanced protection for your organisation, then get a quote with Cube Cyber today, and our friendly experts will talk you through everything.