GDPR (General Data Protection Regulation) is on the horizon and we have two choices: either accept it and prepare or bury your head in the sand. I have met organisations that have always taken protecting data seriously and ones that practically broadcast all of their customer’s data out to the world.
As an IT professional, I am pleased about the looming GDPR as ensuring data is kept securely is essential in any business. We must adapt to the environment to protect all of our clients and ourselves.
Under GDPR you are required to report all data breaches within 72 hours to both the country’s representative (of each person’s nationality) and the individuals that have been affected by the data breach. However, if the data is appropriately protected then you will only have to report the breach to the country’s representative. You will not face a fine or have to inform your client if you have incorporated appropriate measures to protect personal information.
There are two main methods for securing data mentioned in the GDPR; Encryption and Pseudonymisation. Each method comes with its own burden, Encryption with cost and Pseudonymisation with time. For most companies the financial burden of Encryption heavily out-weighs the cost of Pseudonymisation.
Yes, this is a mouth full but quite an elegant mouth full “Pseudonymisation”, I like it. But I do not like doing it… this is because it requires the removal and replacement of all personal data with random codes. Think about it as using pseudonyms for all personal data.
This is a good way for sharing data as all personal data has been removed however; it is not functional for all types of data. For example, if you had a client list and you performed pseudonymisation on it, you will not have a client list but rather a list of useless data. Most small businesses will find that they are unable to incorporate this into the data they retain.
You are likely to see Pseudonymisation being integrated into CRM software over the coming years as part of the “data protection by design” policy incorporated by GDPR. However, it is also more than likely that most companies will simply incorporate encryption.
This has been around for thousands of years all the way back to 700 BC when the Spartan military used to send messages using Scytales. Modern day encryption is the process of converting information using an unsolvable algorithm/code that can only be translated using a key that is 256-bit in length. It’s hard to understand the scale of this as it has 2^255 possibilities which would take us longer than the estimated life span of the earth to crack with present technology.
There are a lot of things to consider before going forward with encryption however, above all is the security of the keys and management of the device moving forward. If you choose to encrypt your devices and then have the inevitable hard drive failure down the line, how are you going to recover the data? Encryption should not be taken light heartedly and should always be managed by a professional.
You need to protect your data appropriately or the one day you leave your laptop on the train could be the beginning of the end for your company and you will lose all professional respect. Just ask yourself; can you afford to tell all of your customers that their personal data could now be in the hands of criminals?