GDPR for SMEs

5074_daildublin_main

Highlights

  • Thousands of Irish companies could be unprepared for the General Data Protection Regulation (GDPR), which comes into force across the EU in May
  • Data breaches can lead to hefty fines, and must be reported to the Data Protection Commissioner (DPC) within 72 hours
  • A new Irish Data Protection Bill will also bring a number of changes, including making the disclosure of certain data a criminal offence


How to implement a GDPR plan that will help protect your business from cyber attack – and save you from fines hefty enough to wipe your business out altogether.

Firms that don’t comply with the EU General Data Protection Regulation (GDPR), coming into force in May, face penalties of up to €20m or 4% of turnover – a sanction that would send one in four Irish companies to the wall.

Despite this, thousands of Irish companies could still be unprepared for the new rules. In January, a GDPR Report by the Irish SME Association (ISME) found that only 30% of respondents had identified the steps their businesses needed to take in order to comply, and only 7% had actually completed a GDPR plan.

This inaction could be putting not only themselves but also their customers and suppliers at risk.

“A huge number of SMEs in Ireland are behind the curve on this,” says Aoife Sexton, director of Dublin-based data protection training specialist Frontier Privacy. “Many don’t even know GDPR is coming. Of those who do, many are ignoring it and others want to comply but don’t know where to start.”

Why is GDPR coming?

Ireland’s Data Protection Act was introduced in 1988, and subsequently tied up with EU legislation, to control how personal information could be used, and establish people’s rights to access that information. Three decades on, the internet, email, smartphones and cloud storage have made business a very different beast. “Every company is now a data company,” the data protection commissioner for Ireland, Helen Dixon, told tech website Silicon Republic in a recent interview.

GDPR, which hits the statute book on 25 May, is an update to protect the data of all of Europe’s citizens – but a new, separate, Irish Data Protection Bill recently introduced in the Dáil to repeal the 1988 act will also bring a number of changes, including making the disclosure of certain data a criminal offence.

What does the new law mean?

“It means every company needs to step up,” says Sexton. “You need an end-to-end strategy to ensure that not only is every piece of data you hold on any individual protected, but also that you’re justified in having it. [That means] full names, birth dates, contact details, staff records, financial information. This goes for everyone whose data you hold – from your own staff to your customers, suppliers, people on your marketing lists.

“It also gives individuals rights to access their data, and rights of portability and erasure. You need to tell people you’ve got it, why you hold it and what you’ll do with it – and then you need to protect it and be seen very clearly to have done everything you can to do this.”

So what constitutes personal data?

Anything that enables identification of an individual. “It’s not just financially sensitive information,” says Sexton. “It’s even CRM [customer relationship management] data, even corporate email addresses. If it enables identification, it’s personal data.”

I want to comply – where do I start?

Educate your staff – starting with those at the top. “This needs to immediately move up to the board agenda,” says David Keating, security specialist at technology distributor DataSolutions. “Everybody needs to understand why compliance is vital and it needs to run through the organisation. Don’t dismiss it as ‘an IT project’ or one department’s responsibility – it runs through the organisation.

“You cannot afford not to do it. Data breaches compromise your business security, leave you vulnerable to civil lawsuits, wreck your reputation – any of which can ruin your business, and that’s before you’re hit with a fine.”

The next step, according to Sexton, is to “get to grips with what personal data you hold – carry out an audit of what you hold, how you collect it, where you store it, why you have it, and how you’re safeguarding it.”

 

“Carry out an audit of what personal data you hold, how you collect it, where you store it, why you have it, and how you’re safeguarding it

David Keating, Security Specialist, Data Solutions

 

Measures to improve the protection of data can be very simple, says Keating. “Just by, say, implementing two-factor authentication, you’ve immediately enhanced your security,” he says. “Cybercriminals are incredibly sophisticated – you need to make life as difficult for them as possible, and that means making compliance a top priority.”

Another key area of the new regulations is transparency – being able to prove exactly how you are complying. “The spine of the new GDPR is accountability,” says Sexton. “The burden of proof is now on companies to satisfy the regulator they have done everything possible. You don’t always need consent to hold data as long as you can prove the legal basis for having it – but you do need to tell people you’ve got it, and why.”

Suppose we do suffer a breach?

Even following all the guidelines, breaches will happen, even in places you’d expect to be secure. Ireland’s Central Statistics Office (CSO) recently admitted inadvertently emailing out sensitive P45 information on 3,000 of its former employees. Aside from the inevitable apology, the CSO acted swiftly to report the breach to the Data Protection Commissioner (DPC). “Part of compliance is reporting any breach within 72 hours,” says Sexton. “This means having a protocol in place so everyone knows what to do in the event of security being compromised.”

Where can I get help?

The DPC has issued a 12-point guide to help organisations comply. More information is available at gdprandyou.ie. Dixon says: “We’re focused on helping SMEs who may feel that the GDPR doesn’t apply to them or that there is little to fear in ignoring it, when in fact this is far from the case. But the DPC website can help you identify the changes you need to make to be GDPR ready.”

Act now

In September, DataSolutions and TechPro magazine carried out a survey, which asked businesses how they’d cope if they ended up being fined for a data breach. “GDPR fines could have a devastating impact on companies,” says Keating. “23% of businesses we surveyed said big fines would shut them down, while 10% said they’d have to cut staff and one in five would have to reduce their operations.

“Irish businesses need to make achieving compliance one of their top priorities – to protect their customers, their staff and their own future.”

By ContentLive

 

Comments 2

Tara De Buitlear on Wednesday, 18 April 2018 15:13

Some good advice there for all SMEs assessing the impact of GDPR for them.

Some good advice there for all SMEs assessing the impact of GDPR for them.
Chevy Johnston on Monday, 23 April 2018 20:02

It's a big change for businesses to prepare for, but great to see that there will be a more holistic approach to data protection as it gets more and more complex.

It's a big change for businesses to prepare for, but great to see that there will be a more holistic approach to data protection as it gets more and more complex.
Already Registered? Login Here
Guest
Friday, 16 November 2018
If you'd like to register, please fill in the username, password and name fields.

Member Login

Business Insights & Tips

Leaderboard

1
Michael Lane
786 Points
2
Jill Holtz
784 Points
3
Ron Immink
732 Points
4
Fionan Murray
696 Points
5
ContentLive
276 Points
View Leaderboard