The New GDPR World

Mark Davies - The Identity Organisation

In the new and imminent GDPR world, mandatory reporting of a data breach becomes a reality for all businesses, and for those businesses who don’t report a breach, very large fines will apply. Running a business is about to become even more complex, but the real issue will be, how you as a business owner protect the data you hold, and whether or not that protection works.

The threat landscape has changed and we’re all aware of recent high profile fraud attacks that have resulted in data breaches and loss of profit and productivity. Only the other night there was a report on BBC Points West about a firm in Somerset who switched to online banking for the first time, and were defrauded of £3 Million.

Whilst, this was more of a straightforward internet fraud, interestingly, in the new GDPR world, it’s likely that such a breach would come under scrutiny and there would be questions about the processes for the detection of, and response to cyber-attacks. No doubt, the Information Commission will be interested when Companies fall victim to a fraud, wanting to understand what else could have happened apart from the successful attack? That’s the connection between security and GDPR.

As customers become more and more aware of their privacy rights - much strengthened under GDPR - and as that awareness grows, the onus on Businesses to protect their customers’ privacy and security will grow with it.

Known unknowns
So, GDPR compliance cannot be a case of, “trying your best!”  Demonstrating that, as a Business owner, you have taken the security of customer data seriously, is the core aim of GDPR. But, because the threat online is continuously changing in response to new defences, businesses not expert in the cyber-security field cannot hope to protect themselves adequately. The question then becomes -How do you demonstrate that you have done your best? Quite simply, security must underpin everything that you do online. And another small wrinkle. GDPR doesn’t only apply to digital data, but also any information you might hold in paper format!

More and more investment by large companies is going into trying to second guess what hackers have done on their networks and how to respond to an attack. They’re partnering with lots of organisations to develop new defence systems and data audits across their networks.
Smaller and Medium-sized Businesses may feel that they can’t afford this kind of investment. The question you have to ask yourself is, “can you afford not too?” if you don’t trust your systems and processes, how can you expect your customers and suppliers too? Under GDPR, they will want to be able to trust you to protect their data.

Data is the future
There is a risk that a lot of smaller businesses will, “press the panic button,” and reduce or delete completely the data that they hold on customers and suppliers. But, if you have no insight about your customers anymore it’s going to put you in a difficult position. In the future, even more than now, businesses will need to make data work for them, to be able to grow. But, in the GDPR world, they won’t be able to take a haphazard approach to how they use, store and protect that data.

Businesses of all sizes will have to make people aware of what they’re doing with their data, where it is, what it is and how they can get access to it. And as the public begins to understand what their data is worth, not just to the businesses they interact with, but also those who would seek to use it for criminal purposes, it’s only natural that they will want to see it protected. So, it’s not just about protecting the data you hold, but also protecting and growing your Business.

In summary. In the new GDPR world, all businesses will have to be transparent about the data they hold and what they do with it, comply with regulations and protect the data they hold.

Essentially, everything will come down to, as it always does. Trust!