What does my business have to do for GDPR compliance? This is a question I have been asked a lot over the last 6 months. There is a lot information on this subject and I am sure you are getting sick of hearing about it! However, the truth is, GDPR is happening in just over 3-months. This means your business needs to be aware of what it has to do to become compliant or work towards becoming compliant.
In this blog I am going to try to answer the question – What does my business have to do for GDPR?
First of all, I would like to point out – I am not solely a GDPR consultant, I am talking from my understanding of GDPR from an IT perspective. The GDPR guidelines state you have to do everything in your power to protect your business data from breach, theft or unlawful use. If you are investigated, the ICO will want proof of the steps you are taking against cybercrime and if you can’t demonstrate this, they will issue you with a fine in accordance with the guidelines.
What does my business have to do for GDPR compliance?
Micro business < 10 IT users using Cloud services and no servers
Most importantly, you should have a network firewall with security services running, each user has antivirus and all software is patched in support and up to date. All data must be backed up at least three times in different locations. If you have PII (personal identifiable information) you must know where this data is stored and be able to delete/remove it when requested. You may be asked to prove you still need this data and if not, it must be removed from your IT systems. If you only hold employee data, then you don’t need to do anything else provided this is stored in a secure location.
Recommended Action – you should look at Cyber Essentials as a basic level for cybersecurity if you are over 5 IT Users.
Small Business < 50 IT Users with Cloud or on-site servers
As above for the most part. However, now we are starting to deal with a serious amount of data, and the more users the more data. It is entirely possible that users have spreadsheets saved on their local devices that may or may not be centrally backed up. You will possibly have workers that work remotely. This all means identifying your data is becoming more difficult.
Recommended Action – Cyber Essentials Plus, that includes internal/external vulnerability scanning to ensure your IT systems are compliant. You should also look at a data discovery tool to ensure you know where your data is stored and some form of data loss prevention software to ensure you can protect yourself against a data breach. This could be external through phishing or internal through employee data theft or malicious intent.
Small Business 50-200 users with Cloud or on-site servers
As above, but you may need additional protection against breaches – I would recommend you contact us for a personal consultation.
Over 250 users
As above, but you will need additional protection against breaches – I would recommend you contact us for a personal consultation and make contact with a GDPR consultant who can look into other aspects of the business that you will need to consider such as HR/Marketing and Finance.
I would like to point out, the advice here is very general and will give you some indication of what you need to or prepare for. As always, every business is different. This means, you all need to consider different aspects of GDPR and it is difficult to pigeon hole every business by the number of users. If you are concerned or would like more information then please get in touch for a free consultation 0333 240 0565 or visit our contact page.