General Data Protection Regulation (GDPR)
The new procedures under GDPR for businesses will come into effect on 25 May 2018, and there are unlimited fines for failure to comply. Although this is EU legislation, it will not be affected by Brexit.
The procedures cover how you store and protect customer data, how long you retain such data, and what customers can require you to do in connection with that data.
In general, you will be treated as a data processor or a data controller, or both.
Personal data is a valuable commodity and can be used for criminal purposes or commercial marketing. It, therefore, needs to be protected by all reasonable means.
The purpose of the regulation is to ensure that customers can find out quickly what data you hold on them and can require you to amend or delete that data. Most importantly, you have a responsibility to keep the data safe and to notify any affected customers and the Information Commissioner’s Office (ICO) of any security breach within 72 hours of becoming aware of that breach.
It will be important to educate all personnel by publishing a statement of best practice and preparing a risk assessment to demonstrate that you have taken reasonable steps to comply with the legislation and so far as possible to prevent security breaches from happening.
In view of the administrative and reputational costs of cyber security breaches, particularly if you hold information for a large number of customers on your computer system, it may be worth considering insuring against this risk. Bear in mind, however, that this type of insurance is probably best purchased on a bespoke basis, because generic policies are likely to contain exclusions which could render them worthless.
It will be sensible to ensure that regular backups are taken of computer data files and that these backups are kept for an appropriate period and are securely stored so that they will not be tainted if the main system is hacked. It is also important to ensure that employees do not open e-mail attachments unless they are absolutely certain that the e-mail is genuine. There have been cases where the sender’s e-mail address is very slightly different from a genuine address you might expect. A recent version of this sort of scam involves attaching an “invoice” and asking you to check it is correct. By doing so, you may infect the entire system, possibly with ransomware which asks you to pay a fee or lose all your data. Even if there is no apparent immediate effect, some infiltrations can lay dormant for months or even years gathering valuable information.
You should also consider encryption of outgoing e-mails in case these are intercepted.
Although this article refers to “customers” the regulation also applies to any other personal data you may hold. It does not appear to be restricted to information held on computer or “in the cloud” so you could be at risk if an employee leaves personal files in an unlocked car and they are stolen, for example.