EU GDPR: 7 steps to save yourself €1 million

by Daniel Hicks: IT and Telecommunications Specialist, Telefónica UK

Up to €1 million or 2% of global turnover. That’s the new penalty suggested by the European Council for the European General Data Protection Regulation (EU GDPR). But, there is talk of the maximum fine being increased to €100 million or 5% of global turnover. Once penalties are agreed, businesses will be given 2 years to prepare.

In a previous blog, I looked at the big names caught up in data breaches. Although their reputations were damaged, it did help others appreciate how often breaches are happening and how easily organisations can be targeted. But have businesses really done enough to address the financial implications of the alphabet soup that is the EU GDPR?

Time for a disclaimer – I’m not a lawyer. So I won’t pretend I can give you definitive legal counsel. But I do know technology and how it can be successfully implemented. It’s also worth keeping in mind that regulations are funny things. They might not say exactly what you must do, but instead use language that says you should take adequate steps to achieve “x, y and z.” In this case, if a security breach occurs and it’s decided you didn’t do enough to protect “x, y and z,” fines will be tallied up for each violation.

So, here’s my 7 steps to ensure you’re prepared for EU GDPR, to prevent you getting hit with a €1 million fine:

  1. Keep things neat and tidy: Privacy policies, procedures and documentation need to be kept in order and up to date. These can be asked for at any time by data protection authorities.
  2. Start a club: Form a governance group that manages the protection of your data. Led by someone senior, the group should develop metrics around compliance to form part of the annual report. And, if you have over 250 employees, add a Data Protection Officer (DPO) to the payroll.
  3. Press that “record” button: If you record your fixed calls, make sure your mobile fleet is being recorded too. You can manage risk by covering all methods of communication.
  4. Education, education, education: Home and mobile workers need to know how to protect their working environments, and the data they use, from prying eyes. Develop and deliver a training program for your employees.
  5. Go paperless: Ditching paper has benefits beyond increasing efficiency and reducing costs. Going digital means auditing and monitoring data is much easier.
  6. Choose carefully: CAS(T) should be a consideration for selecting telecommunication providers. It builds on the IT governance of ISO 27001, especially when considering mobile users.
  7. Stay secure: Devices accessing data need to be secure. Mobile Device Management, and security services like Capsule, can help protect against intrusion and malware. And, O2 Gateway can deliver an extended secure network across mobile, wifi and fixed networks.

Two years to prepare might seem like a long time. It isn’t. In business terms, 2017 is just around the corner. Start your planning now to make sure best practices are followed and budgets are appropriately allocated. An effective strategy will help you meet the “privacy by design” requirement to integrate controls into your core systems. This will help you be, and stay, compliant.