Five things to know about UK’s data protection laws after Brexit
If your organization is struggling to comply with data protection regulations such as the GDPR, you can take some comfort in knowing you’re definitely not alone. Some studies have shown close to half of companies in many countries are not fully compliant with their national data protection requirements. But what are the compliance challenges these companies are experiencing and what can be done about it?
This blog post explores some common reasons organizations of all sizes are falling short when it comes to complying with data protection regulations, along with helpful tips or simple steps you can take to address them.
1- Protecting data starts with user awareness
One core requirement of the GDPR is the need to regularly train all staff on best practices for data handling and cybersecurity hygiene. This should be done at minimum several times per year to ensure it stays top of mind. With many other priorities to focus on at any given time, this initiative is sometimes overlooked, but it’s crucial for enhancing overall communication and data protection security within an organization. For some tips on how to make these security awareness sessions a little more engaging (and take some of the work off your plate in the process), read our blog post on the subject, written by our Data Protection experts.
2- Preventing data breaches and data leaks
Did you know that the number one cause of data breaches consistently comes down to mistakes people make when emailing? These types of errors include sending the wrong attachment, or not emailing the correct individual. In fact, the UK Information Commissioner’s Office (ICO) stated in its data security incident trends report there were 2629 incidents reported in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.”
These incidents may seem relatively harmless, and practically everyone is guilty of making such a mistake once in a while, but the impact can be highly consequential. This is especially relevant now with stricter data protection regulations in place and eye-popping fines regularly announced for high profile breaches, including large companies based in the UK such as Marriott International and British Airways. Being aware of the root causes of most data leaks (human error), can help you to identify appropriate solutions to enhance your digital communication security.
3- Acquiring compliance assurance from third party vendors
There’s an expression that goes ‘you’re only as strong as your weakest link’ which can aptly describe the importance of choosing to work with the right third party vendors. That’s because under the GDPR, your suppliers must also comply with the regulations. These suppliers should be able to provide your organization with guarantees that they are compliant, and be able to back that up if necessary. If you're unsure if your suppliers are currently compliant, reach out and ask them as a first step.
4- Securing outbound communications with a remote workforce
With so many people working from home these days, enhancing overall communication security is becoming a top priority for organizations of all sizes. New risks must be effectively managed when so many more users are accessing the company network remotely, and often from their own personal devices as well which can increase the likelihood of data leaks. You can read more about the importance of securing your email here.
5- Establishing a culture of data minimization
Is it really necessary for your organization to store a large amount of personal data for an extended period? The ‘let’s store as much as possible, maybe we can use it one day’ is an outdated mentality that has since shifted to a culture of data minimisation. Nowadays every company must carefully consider the processing of personal data (such as collecting, editing, and storing), and review their policies regularly to adjust as needed.
As a starting point, you should only collect the strictly necessary personal data and not store it longer than is necessary for the purpose for which it was acquired. Many organizations find it challenging to manage this effectively, but it sets the foundation for proper data protection measures, so it’s important to do it this way.
The above examples are some common challenges faced by data protection and IT security professionals in their efforts to comply with data protection regulations, which includes the GDPR and Data Protection Act (DPA) in the UK. There are of course, many more challenges that organizations face in achieving data protection compliance, which is partly why so many have struggled with it so far. But when it comes to data protection compliance, it truly is better late to achieve this than never.
Data breaches can be costly (don’t become a PR disaster)
Since the GDPR came into effect, organizations have been expected to be compliant or run the risk of substantial fines and penalties when data breaches occur. Not only are the fines costly, with some companies so far incurring penalties of at least €50 million, but the reputational damage can be long lasting. As a spokesperson at The Information Commissioner’s Office (ICO) recently said: “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”
We're here to help
Our free guide on Data Protection Compliance provides more insights on what organizations can do now to prepare for future regulatory changes. The current transitional period for the GDPR in the UK elapses at the end of 2020, so now’s the time to take proactive measures to ensure your company is prepared for any changes. This easy to follow guide can help.