Accountants providing chartered accounting services and tax advice are alerting smaller Irish companies to the consequences of the pending General Data Protection Regulation (GDPR). They believe these are going to feel the most pain come 25 May 2018, if they do not implement GDPR by then. We are trying our best to help avoid this situation by providing advice.
How to Kick the GDPR Ball into Play
The Irish Information Commissioner’s Office has produced a toolkit regarding where’s best to start. They suggest beginning with an information security assessment to determine the gaps companies need to close. Once quantified, this leads naturally to a plan of action, and resources needed to fulfil it. Here’s how to go about it:
1. Start by assessing your current ability to identify, assess, and manage threats to customer data security. Have you done anything at all to date? You must be holding some customer information surely, and it is highly likely the GDPR applies to you.
2. Next, review your company’s current customer data security policies. Are they documented and approved, or do new employees discover them sitting next to Nellie? Rate yourself on a scale where ten is successful implementation.
3. Now consider how well you have pinned responsibilities on individuals to implement policies and take the lead on GDPR. The latter should be the business owner, or a board member with clout to make things happen.
4. By now, you should have a grasp of the scale of work ahead of you, remembering the EU deadline is 25 May 2018. If this sounds overwhelming, consider outsourcing to your accountant or a specialist provider.
5. Under the General Data Protection Regulation you have only 72 hours to report a breach of customer data security to the Information Commissioner’s Office. Do you have a quality assurance mechanism to oversee this?
Tangible Things to Bring Your Own People on Board
With all the changes going on, there is a risk of your employees regarding GDPR as ‘another management idea going nowhere.’ Thus, it is important to incorporate the new EU regulations in staff training, particularly with regard to data security generally. They may fully come on board only once they see tangible signs of progress. You should in any case put the following measures in place unless you already have them:
1. A secure area for your servers and for any paperwork your customers provided. This implies access control on a need-to-know basis to protect the information against loss, damage, and theft.
2. A protocol for storage media and record disposal when you no longer require them or something supersedes them. You are the custodian of other people’s information and they deserve nothing less.
3. Procedures to secure customer data on employee mobile devices and computers: This must extend to work done at home, at consultant sites, and by remote workers.
4. Secure configuration of all existing and new hardware to minimise vulnerability and storage media crashes. These quality assurance measures should extend to removable media and remote backups.
So Is This the Worst of the Pain?
We are at the heart of the matter, although there is more to tell in future articles. You may be almost there, if you already protect your proprietary information. If not, you may have key company information already open to malware.We should welcome the EU General Data Protection Regulation as a notice that it is time to face up to the challenges of data protection and security generally. The age of hacking and malware is upon us. The offender could be a disgruntled employee, or your competition just down the street. It is time to take precautions.