GDPR: Have your say and win a year's worth of business broadband
There is less than one month until the General Data Protection Regulation comes into effect.
These changes will affect businesses big and small throughout Ireland, and will be revolutionary in protecting both individuals and organisations when it comes to processing data.
With the date nearing, we want to know what Irish businesses think about GDPR. Take this short survey from Magnet Networks to be part of the largest Cyber Security Awareness Survey and make your voice heard. Plus, you could win free business broadband for a year from Magnet Networks for taking part.
It is vital your business is prepared for these changes in law. While it can seem like a daunting task, there is still time ensure you are GDPR ready. If you are unsure where to start, use these five steps as a guide to becoming GDPR aware.
Now is the ideal time to review all of your privacy policies and notices. Ensure that both your staff and customers are aware of how and why you gather data. Currently, you are required to let your customers know who you are, why you are gathering their data, how you plan to use it and who else might have access to it.
By reviewing your data collection process now you will be ready for further changes to data collection under GDPR, where the most notable changes will be concerned with the legal basis for processing data. The retention of data will also be affected, as well the right of complaint for any customers who are dissatisfied with how the regulations are being upheld. Keep in mind that under GDPR businesses will also be required to communicate in clear, easy to understand language, so it’s important you communicate your policies simply and effectively.
Data Protection Officers
Do you need to implement a Data Protection Officer? Under the new regulations all public bodies, including national, regional and local, require one as well as any organisation whose prime activities involve processing data. This is applicable to organisations involved in the ongoing processing and monitoring of individuals and their data.
When it comes to hiring a DPO, GDPR guidelines require that the candidate has “expert knowledge of data protection law and practices”. This will also depend on the type of data processing being carried out by your organisation. If your business processes particularly large volumes of data, or if the data is very complex, your DPO may need more experience and qualifications to carry out the role.
Whether or not your organisation has a DPO, it is essential that all employees are up to date on GDPR practises. Group training sessions are ideal ways to inform your employees about data processing, your privacy policies, why you collect data and for what purpose. It will also equip them with the necessary knowledge should they receive queries or complaints from customers.
GDPR and kids
Under GDPR there are separate regulations for processing children’s data. Children need to be 16 in order for their data to be processed. If they are under the age of 16 their data may only be processed when permission is expressly granted by their parent or legal guardian. If your business processes data for underage children you need to implement systems that can both verify the age of individuals and gather and process permission from their guardians.
If your business has services that directly affect or are marketed to children your permission and privacy notices must be written in clear, easy to understand language that is suitable for children.
Cyber Security and Data Breaches
In order to ensure that any data you hold is secure, it is imperative that your cyber security practises are iron clad. According to a nationwide survey by Magnet Networks, 48% of Irish businesses have no cyber security policy. In the wake of recent global cyber security breaches, we are all more aware of just how damaging these breaches can be. Under GDPR, there will also be mandatory reporting whenever a data breach occurs. All data breaches must be reported to the Data Protection Commissioner, usually within 72 hours, unless the data was encrypted or anonymous.
As a business, you will need to have policies in place that detect, report and investigate any breaches on an ongoing basis. In the event of a breach that affects the individual –for example, in the case of identity theft- they also must be notified. When reviewing the data you process ahead of GDPR, you should also take note of the types of data and if any fall under categories that require notification if a breach occurs.
Companies need to have a next generation application-aware firewall along with advanced endpoint protection and local real-time analysis on each machine.
Having this system, which Magnet Networks employ, would ensure it would be extremely difficult to successfully gain access to any personal data that resides within a business.
Don’t forget to take part in Magnet Network’s Cyber Security Awareness Survey. Make your voice heard and you could win free business broadband for a year.