GDPR. Five side-effects - and five next steps
It’s probably safe to say many of us are more data aware since the General Data Protection Regulation (GDPR) arrived this May.
By now most of us know that protecting personal data matters. Those organisations that mis-use data or find theirs has been lost or stolen are not just running a reputational risk but could also face a fine of 20 million Euros or 4% of annual global turnover.
The GDPR applies to all organisations, anywhere in the world, that handle EU citizens’ data. The rules give consumers new rights, including rights to find out what data is being held on them, and to delete that information unless an organisation has a good reason to keep it.
What has GDPR produced in its first six months? Here are five reported effects, and five good steps every organisation should be taking:
Five effects of GDPR
1 – Public awareness
Consumers appear to be more aware of these privacy rights, according to the Information Commissioner’s Office. It says it has seen a rise in breach notifications from organisations, as well as more data protection complaints. The first month of GDPR saw a sharp increase in the number of complaints to regulators across Europe.
2 – Un-necessary opt in requests
Businesses’ understanding of when to seek data consent may be mixed. Many of the ‘you need to opt-in again’ requests may have been too cautious, according to the data protection chief and deputy chair of the newly created European Data Protection Board.
He says that companies don’t need consent to send marketing emails to existing customers. They also do not need consent to send non-marketing material.
The situation where companies need to ask for additional consent is for sending marketing emails to contacts who are not existing customers. Those organisations with huge mailing lists of recipients who were never asked if they could be included on those lists are the ones who should really worry.
However, these ‘spammers’ would have already been in breach of EU law even before GDPR arrived.
3 – Potential vulnerability to extortion
One potential effect of GDPR, raised by Kaspersky Lab, is a potential rise in cyber-extortion. If cyber-criminals can identify companies who are not compliant with the new GDPR regulations, it is possible they could hold those companies to ransom and threaten to make this non-compliance public or report the company to the Information Commissioner’s Office.
It’s thought that some organisations may pay a ransom, which could be cheaper than the GDPR fine, while they work towards GDPR compliance.
4 – Mis-interpretation
Understanding GDPR is a journey for many organisations, with one airline recently appearing to have mis-interpreted the regulation in a very public way. A security researcher discovered that the airline’s social media team was asking customers to post personal information such as passport numbers and full addresses, via their Twitter accounts, so it could help with customer service claims. The airline even insisted this was to comply with GDPR.
5 – Forgetting Paper
A possible oversight with GDPR is paper. While it’s easy to fixate on digital technologies and the use of email, any personal data stored on paper-based files should be used and stored just as carefully.
Of 598 data security incidents recorded by the Information Commissioner’s Office between July 2016 and September 2016, 40% involved paperwork, including loss or theft, posting or faxing to the wrong recipient, poor disposal or paperwork abandoned in an insecure location.
Five good steps for all organisations
1 – Training
Staff should be trained on GDPR and understand what they need to do, as well as what is unnecessary. Organisations should review their policies on an on-going basis and make sure that new starters are trained in correct data use and security in line with the regulation.
2 – Shredding
Secure cross-cut shredders, that can cut A4 paper into hundreds of pieces, should be deployed in every work area. They could even be desk side in places where confidential information is likely to be in use, including HR, finance and legal.
Fellowes Micro Shredders can shred an A4 piece of paper into over 2000 pieces, with a 100% jam-proof system that eliminates paper jams and powers through tough jobs.
3 – Preventing visual theft
Busy open working environments can lead to dozens or hundreds of people viewing the contents of anyone else’s screen. This can lead to ‘visual theft’ when an unauthorised individual is able to view and memorise, or write down, personal and confidential data.
3M’s range of privacy filters protect devices by blocking the view of the screen to all but the user, allowing people to work securely.
4 – Encrypting digital data
Personal and confidential data should be stored on password protected, encrypted USB drives.
These hardware encrypted storage solutions can safeguard data with high strength, military grade security features. These include the Safexs Protector USB 3.0 Flash Drive, a portable data protection tool that protects sensitive data from unauthorised access and accidental loss, with built-in encrypted backup.
5 – Securing Point
Printing and imaging devices store user credentials and other sensitive data such as stored print jobs. If these are not encrypted or regularly erased there is the chance they and their confidential details will be accessed.
Output trays can be an easy way for sensitive data to fall into the wrong hands. To make sure sensitive documents cannot be retrieved by any user, ensure all printers work on a pull printing requirement. Be aware that anyone with access to printer settings can exploit permissions if the settings aren’t restricted to admin-only access.
For more Security Solutions view our B Guide to Security
With Banner you can help protect your data with security solutions. For more information contact our technology team at email@example.com