Cyber-attack fines for non GDPR compliance

The General Data Protection Regulation (GDPR) will be in place from May 2018. Once in force, if a company that handles European Union (EU) Data suffers a cyber-attack, they could be liable for a 20,000,000 million euro fine or 4% of the yearly global revenue.

82% of businesses unaware of GDPR

Yet despite the harsh penalty, a recent study by Dell revealed that 97% of small businesses don’t have a plan ready for GDPR. A further 82% were unaware of the new legislation regardless of guidelines that state all organisations that process personal data from the EU are within the scope of the new legislation.

With the predicted 25% growth in ransomware for 2017, the recent locking of the Ukrainian nuclear power plant’s computers by hackers is dark reminder of the pernicious threat we face. The legislation is not something for businesses to ignore with existing EU data laws being superseded by GDPR. Non-compliance is a roadmap to financial disaster.

10 steps to business compliance

To ensure that you are ready for GDPR, we have drawn up a 10-step guide to help a business begin the planning process and avoid the risk of EU fines from May 2018.

1. C-level awareness

C-level buy-in and awareness of the financial risks of non-compliance is an essential first-step. Reputational damage following a breach could prove to be a loss in confidence from investors, customers and the supply chain.

2. IT and Legal team collaboration

This may seem obvious with a new regulation but the legal implications of compliance need to be matched with delivery from the IT team.

3. Data protection officer (DPO) and security staff

Depending on the size of your organisation a DPO would be responsible for the continued implementation of GDPR and report to the board to ensure business confidence in successful compliance to the new legislation. The EU recognised Distance Learning Training Course and Exam is a good place to start.

4. Data management procedures and governance policies

GDPR enforces new requirements governing the way we handle, share and delete data which need to be in place across an organisation. This may require a new onboarding process and retraining of all staff. All processes that handle personal data flow such as sales and email marketing will need to adhere to the new regulations.

5. PR strategy

Preparation for a breach with a press statement that broadcasts your GDPR compliance at all levels could help secure business and public confidence. An organisational awareness campaign and workshops to ensure engagement with the regulation could help improve employees understanding.

6. IT infrastructure and record management system

Under the new legislation, the rights of an individual to be informed and request the deletion of their data will require a system where all identified activity can be removed from backup files.

7. Privacy shield

Companies the deal with EU data must adhere to the regulations. For example, US companies are obliged to provide privacy protection to cover individual rights and dispute resolution.

8. Supply chain compliance review

Your organisation’s efforts to be GDPR compliant could be jeopardised by weak links in the supply chain that fail to handle EU data in line with the regulations.

9. Brexit is not a non-compliance option

If a business handles EU data then GDPR legislation applies.

10. Security checks

By creating a process of security checks that follow the guidelines will ensure you have a system in place, the meets the legislation. As hackers become more sophisticated, the stringency of the tests needs to reflect the market.