Since GDPR came into force companies are still getting to grips with data processes and policies. Joe Collinwood, CEO at CySure explains the difference between data protection and data privacy, which organisations of all sizes and sectors can no longer afford to ignore.
The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 with great fanfare, and rightly so. It is the most significant change to data protection and data privacy legislation in Europe for over two decades. It puts individuals back in the driving seat as to how their data is used.
However, 12 months on there continues to be a lot of confusion, within the business community, on the distinction between data protection and data privacy.
Data Protection vs Data Privacy
Data protection refers to the technical controls on protecting assets from unauthorised use, in effect the tools and procedures to enforce the policy and regulation. Data privacy is the legal and operational measures that govern the use of data, ensuring only authorised users gain access to personal data.
GDPR makes it the responsibility of every organisation to implement the appropriate technical and organisational measures to ensure a level of security appropriate to its risk. In the UK, compliance is governed by the Information Commissioner’s Office (ICO), whose role it is to ensure the guidelines are adhered to and penalties may be issued if businesses don’t comply.
A common mistake companies make is ignoring what the ICO refers to as the “7 Principles”. A company, already compliant with the Data Protection Act and with technical controls in place to properly secure personally identifiable information, must ensure those controls go beyond the firewall and anti-malware that most companies think are sufficient.
In the event of a complaint to the ICO or a report of a data breach, a data controller or processor will need to demonstrate that they ensured appropriate security was in place. Organisations must be able to demonstrate:
- Internal policies and procedures that comply with the GDPR’s requirements
- The implementation of the policies and processes into the organisation’s activities
- Effective internal compliance measures
- External controls.
This also extends to suppliers and contractors to every business. If a company within an organisation’s supply chain is not compliant with GDPR then the lead organisation is accepting a significant risk to its business. The inability to demonstrate proportionate steps to comply with GDPR is likely to attract significant scrutiny from the ICO and a more robust fine. Not to mention the reputational damage that accompanies a breach in data.
No room for complacency
We have seen tech giants such as Facebook and Google face fines and other legal ramifications for lapses in compliance and for failing to adequately disclose how they use data. The ICO served Facebook with the maximum allowable fine under the Data Protection Act 1998 of £500,000[i] for serious breaches of data protection law.
Regulatory bodies have made it abundantly clear that there is no immunity from complacency or apathy. The new Data Protection Act 2018, alongside GDPR, provides new enforcement tools for the ICO, including maximum fines of £17 million or 4% of global turnover. Even to an organisation the size of Facebook a fine of this magnitude coupled with the reputational damage would impact business performance and shareholder confidence. While mega fines are yet to be seen they could well be on the way as lengthy ICO investigations come to conclusion.
Commercial advantages of safeguarding data
Being GDPR compliant is not a one-time activity, it is a cultural shift in how organisations protect personal data and it should be baked into policies, processes and procedures. By taking a proactive stance towards data protection and data privacy, organisations can take control of their data and engage with customers and prospects on a deeper and more personalised level.
By developing a reputation for safeguarding sensitive information and providing transparency to customers, businesses can improve brand loyalty whilst also gaining new customers. Business growth is dependent on customer trust. Savvy organisations that can demonstrate a trusted track record and commitment to protecting customer information can maximise on the opportunity to differentiate themselves from the pack by making data protection and privacy a priority.
CySure is a cyber security company founded by experts with extensive experience in operational and risk management. The company has offices in London (UK) and California (USA) and CySure’s flagship solution – Virtual Online Security Officer (VOSO) is an information security management system (ISMS) that incorporates GDPR, US NIST and UK CE cyber security standards to guide organisations through complex, emerging safety procedures and protocols, improve their online security and reduce the risk of cyber threats.
CySure also supplies organisations with cyber insurance to supplement their security strategy and offset crippling forensic and remediation costs in the event of a cyber breach.
For more information please visit www.cysure.net