On May 25th this year, the new General Data Protection Regulation (GDPR) laws come into effect. GDPR will replace the current Data Protection Act 1988 and the new regulation places greater emphasis on data privacy. Even though this legislation is controlled by the European Union, the UK government has confirmed that it will be transposed into UK law as part of the Brexit process. Furthermore, it is unlikely to be amended by the UK as it will be a key requirement for any companies trading with the European Union.
The combination of smart devices and the development of the Internet of Things (IoT) within our homes poses a new threat to the security of personal information and data privacy. The new regulation is attempting to strengthen and unify data protection in this area and protect consumers who increasingly want to shop online.
There has been much speculation about the new GDPR law and its impact on business because the consequences of non-compliance are severe: the maximum fine is 20 million Euros or 4% of turnover, whichever is greater. Consequently, it’s critical that firms adhere to the new law to mitigate the risk of fines, but also protect themselves from reputational damage under the stricter regulations.
For complex supply chains, comprised of many individual operators and suppliers, there is even greater pressure to ensure compliance with new regulations. All companies trading with the European Union, and the UK by default, will have to take responsibility for data protection breaches that occur within the supply chain, at whichever point they occur. With such large amounts of personal data flowing through the supply chain, there is a significant risk of non-compliance.
It has been reported in the press that many organisations still have not assessed the full impact of the GDPR or taken the requisite action to ensure compliance. There exists a perception that this is a minor adjustment, or that it will be ‘ousted’ as part of Brexit – neither of which is the case. The legislation comes into effect in just 8 weeks and any business that hasn’t started to review their policies now needs to rapidly assess their entire supply chain to ensure compliance.
Companies need to think carefully about their relationships with external suppliers from the communication processes right through to the transactional processes. This is a time-consuming activity, especially if a company has many hundreds and indeed thousands of contracts with different suppliers. GDPR will potentially affect all these contracts and any company who isn’t prepared within the next 8 weeks risks serious legal implications.
As a starting point, firms need to map, in detail, all data flows across the business where personal information is received, stored, processed and potentially passed to other parts of the supply chain. Where data passes through the supply chain, clear contracts need to be put in place to ensure that all supply chain partners, and all data transactions, adhere to the new data control and processing regulations of the GDPR. This cannot be a quick ‘light-touch’ affair: it is vital for companies to understand and appreciate that data breaches can often occur due to the smallest action, such as copying someone into an email which contains data that they shouldn’t have access to.
As well as mapping the data flows through the businesses and supply chain, companies also need to understand data security weaknesses within their organisation. Having clearly defined processes and GDPR compliant contracts with suppliers is only one element of the rules for handling data. 81% of all data breaches that occur within a company are due to attackers using stolen data. Companies need to start looking through all their contact information, including email and archived data, as there will be a lot of sensitive and personal data within these.
A thorough investigation needs to occur so that no surprises are unearthed when the regulation comes into effect. Organisations also need to implement cyber resilience strategies and update outdated systems which are liable to contain personal and sensitive data. Adaptive authentication needs to be considered, as this will allow organisations to add layered protection if personal information is stolen. Due diligence of all systems needs to be completed and this due diligence needs to be regularly carried out to make sure systems remain accurate and efficient.