With GDPR now in full effect, a huge number of UK businesses – large and small – are still leaving themselves open to data theft. For those companies that do fall victim to targeted attacks seeking valuable data, this could have very real financial repercussions under the GDPR framework.
New figures have shown that millions of UK businesses are currently using data storage methods that are not fit for purpose. To find out how your business could fall prey to GDPR, and how to avoid penalties, read on.
The Facts
The survey – conducted by Beaming – revealed that 4 million UK businesses are extremely vulnerable to data theft. The figures show that nearly 1 million UK businesses do not back up their data at all.
A further 2.8 million businesses do back up their data but keep these copies in the same storage space as the original data, simply providing another avenue for a determined hacker to access. It was found that 44 percent of small businesses do this, and so too do 42 percent of medium-sized concerns. Worst of all, 17 percent admitted to not backing up data at all and leaving it on in-office computers and employee devices.
Compliance
With these shocking figures in mind – and the attendant potential fines – here’s what you need to do ensure compliance for your business.
You need to ask yourself why you need the data you hold. Under GDPR, these reasons are known as a ‘lawful basis’. There are six categories why an organisation or business may need to retain, and process data and they are: contract, legal, consent, vital interests, obligation, legitimate interests and public task. You need to know which categories apply to you and why you need to retain this data.
Next, you need to know how to deal with individual rights requests. These are the legitimate and legal rights every person has. You need to be able to explain why you have their data and, if they ask, you need to be prepared to delete it from your records. It’s compliance issues like this that make it important to establish if you need a Data Protection Officer in your business. This person will be responsible for overseeing and monitoring your GDPR compliance.
Importantly, you need to be clear and able to explain how you store data. We’ve seen some of the horror stories above, and you need to be clear and consistent in how data is stored at rest, in use and when transmitted to another party.
Finally, you need to prepare for the worst-case scenario of a data breach. Who will report it? Who needs to be notified? You need to be fully aware of what to do if a breach occurs.
If you can work through this list and give clear, well-planned answers, then you are in a good place with regards to GDPR.