In Week 2 of National Cyber Security Awareness Month (NCSAM), the spotlight is on businesses—particularly, their more profound need to take cybersecurity seriously in this age of breaches. And what better way for them to start this off than to think about how they can improve on handling and storing their clients' data safely and securely?
If this sounds more like a privacy issue to you, it is. What many should realize is that privacy and security are closely linked. In fact, one cannot think of improving on privacy without improving on security as well, and vice versa.
With the coming of the General Data Protection Regulation (GDPR), a chiefly privacy-focused ruling for companies doing business in Europe, in less than nine months time, a majority of B2C and B2B organizations in the US still have a lot of catching up to do in the matter of compliance. So, without much ado, let's get down to the nub of what to do to prepare for GDPR's approach.
- Prioritize. Senior management must be on board with preparations needed for change to happen. The GDPR is not something your IT department can handle on their own. In fact, the GDPR transcends the boundaries of IT and extends to other areas in the organization, such as marketing and sales. It's high time for companies to wake up and act fast by putting cybersecurity and data privacy at the top of their priority list.
- Assess. Take the time to sit down and review your current and target customer base. This is a crucial stage as results will dictate whether your business must comply with GDPR standards or not. (Though a bulk of US businesses are small businesses, and not all of them cater to European and UK citizens, even with an online presence.) If your company does handle personal data from citizens of European member states, ascertain what types of data you currently transmit, process, and store. Also, weigh the value of each data type you are storing. Ask yourself this: "Does the company really need to keep this data? Does this bring sufficient value to the company?" If both answers are "no," it might be best to get rid of it.In June, popular pub and hotel chain, JD Wetherspoons, decided to delete their full database of client email addresses, which they had used to send email newsletters, after evaluating that they don't want to hold them anymore. Instead, they decided to use social media to notify patrons of deals and special offers.Here are other questions to guide you in your assessment:
- How do you get personal data from your clients? (e.g., forms in company website)
- Where do you store client personal data? (e.g., PC hard drive, the cloud)
- How do you protect stored data?
- Where are client data backups kept? (e.g., removable storage media)
- Are their gaps in the current processes or controls you already have in place?
- Hire. Having a Chief Protection Officer (CPO) or Data Protection Officer (DPO) may be crucial, yet not every organization that controls or processes user data must have a DPO. The GDPR explicitly requires authorities that (1) process personal data, (2) handle a lot of data, and (3) manage "special categories of personal data"—genetic, biometric, and health data, to name a few—to hire or appoint a DPO. Its principal role is to ensure that companies remain compliant with GDPR standards. Organizations who merely don't have the time or resources to prepare may decide to hire a third-party consultant to help them out, and this is fine, too.
- Plan. Draft a data protection and mitigation plan that best suits your company. Following a template doesn't cut it anymore. Plans must be customized to address or reduce the risks that come with how a business processes data. Also, firms with privacy policies in place must revamp them to cover extended rights that are given to EU and UK nationals. To guide you on how to go about doing this, try answering these questions:
- How will you keep the stored data safe? (e.g., encryption)
- How should you handle requests from clients to delete their data?
- How can you make data available to clients?
- How can you make client data portable?
- What should your incident response, in the event of a breach, look like?
- Implement. Now that you made the assessment, hired a consultant, and answered the questions and planned around them, it's time to put those plans into action. Start backing up files, encrypting them if you think it's necessary, limiting access to sensitive data to specific individuals only, training up your staff about your security and privacy policies, and making sure that all your supply chains have been informed and confirmed to be on board with the changes.
- Test. If you have envisioned and drafted an incident response plan, you should put it to the test. See how well the relevant teams in your organization handle a pretend breach based on the new protocol, identify the good points and bad points from it, and make the necessary adjustments to remove or at least minimize the latter. After changes are made, further refine the terms by testing them again and again.
- Persevere. Starting is one thing, but keeping your plan in place is another. Businesses must continue to remain compliant in the long term by doing a continuous assessment and process improvement. This also includes the regular training of employees and continuing to adhere to a culture of security and privacy in the workplace.