08 May GDPR Security and Protecting Data
Our previous blog posts about GDPR briefly covered what the regulation means for Australian businesses, and the changes/updates the new regulation will bring in relation to data subjects. Now, lets look at GDPR security and what businesses need to ensure they do in order to remain compliant with the law.
As long as a business is using the data of a data subject, they are required to keep it protected. GDPR leaves no room for leniency when it comes to security, which means businesses need to ensure it remains a fundamental part of their processes.
The way to do this is through conducting stringent security and data audits, minimise the amount and type of data collected (keeping it relevant), implementing security measures, practices and processes, and ensure the sensitive information is only accessible by the right employees who are trained to identify and react to potential data threats.
Of course, this is always required by businesses, but the new regulation will add the need for stronger enforcement.
Ensuring the data is protected is crucial from the moment it is legally obtained, to when it is permanently deleted. This is also enforceable under the updated data subject right which outlines the right for Data Portability – being able to transfer their data to another data controller.
Businesses should ensure they liaise with their IT team and software providers, as they may already have mapped their security processes out. If this is the case, it is imperative for businesses to review these existing processes and request any necessary changes to ensure the data subjects’ personal information is protected and encrypted.
If your IT team has no existing processes and you have to implement your own, make sure you closely with legal, IT and service providers to ensure you remain compliant with the regulation.
Employee education is important. Social engineering is the most common method of breaching a business’ cyber security defences, and all it takes is a simple phishing email to gain access to potentially sensitive information, which the business could end up paying up for.