A colleague of mine recently sent me a post from the Computing magazine entitled ‘Even one man band SME’s will be hit by new EU data regime’ (Link here) which made for some interesting reading. I also shared a Linkedin article ‘How secure do I need to Be? Security for the layperson’ so it is an area that is quite prevalent at the moment.
They talk about the new General Data Protection Regulation (or GDPR) and how every organisation will need to be prepared for when it comes into force in 2018. It does state that the enforcement regime on SME’s will be minimal IF you already have appropriate measures in place but it is worth looking at your current compliance and future growth plans now to determine where you want your organisation to be by 2018 and the type of business you plan to be doing.
The reason for this inward look is that if you are, or planning to hold personnel AND customer data such as names, addresses, credit card details etc. there is governance and security measures you need to ensure are in place to be compliant.
There have been several data breaches in the news such as TalkTalk, Moonpig, and even the giant Sony Playstation Network who you think would have lots of protection in place but they were breached and thousands of names, addresses and even bank details were taken.
Your company may not hold thousands of records but the same principles need to be in place for all organisation sizes and you should be thinking about it so get it on the radar for a review.
Some of the proposed changes are:
• A much higher standard of consent
• Abolition of subject access request fees
• Mandatory appointment of a Data Protection Officer
• More severe fines and penalties for non-compliance. The fine is proposed to be 4% of international turnover
• Tracking of IP addresses banned
• Increased red tape for business
Once the appropriate level of Security governance is in place then it makes it much easier as you grow as it becomes the ‘norm’. Also, as you take on more staff they will become familiar with your internal security policies and it becomes ingrained in the ethos.
Even before the GDPR comes into play security should be an item on the agenda anyway because of the Data Protection Act and PCI DSS (if you take card payments). If you can demonstrate to your customers, both internal and external (should you be asked), that you have the appropriate governance in place it builds their trust and promotes long-term engagement (which is good for all!)
Take some time over the coming weeks to review your Security policies and procedures, if you have them, to make sure they are right for what you do now and are scalable to meet your growth plans. Burying your head in the sand won’t be an option when the GDPR comes into force so make the right moves now and when it comes around it will be just another day and you won’t need to worry about it.
Contact Green Giant Consulting today on 01159 648 218 or visit www.greengiantconsulting.co.uk to book your free initial consultation.
Green Giant Consulting Ltd is part of the newly formed Business Support Alliance that can offer help and support for any area of your business, including data security.