Image by | Fox Studios via Vox

 

European GDPR: What it means for your IT infrastructure

At Wifigear, we take data protection very seriously and we believe that at the core of any compliant business is infrastructure that is designed to prevent loss of data.

What is GDPR?

GDPR stands for General Data Protection Regulation. It is a new compliance regulation designed to unify the world's views on how business should handle data.

In essence you'll need to know the following:

  • The scope of the data you hold on an any person(s)
  • Your own current business processes for data handling
  • If you have a data removal solution
  • Where and how your customer data is stored physically (hard copy, audio, visual, alphanumeric).
  • If you have any agreements with external applications that you hold data with (salesforce, cloud apps, etc)
  • Contingency for data leaks (you need to be able to report it within 72 hours)
  • Accuracy of information

This is a big process!

We're aware that there is a lot to consider when ensuring that you're complying with the GDPR and that's why we're raising awareness of the issue. Staggeringly, only 2% of businesses are actually compliant whereas 38% of them believe that they are!

When is this happening?

May 25th 2018 is the official deadline for businesses to be compliant.

There's currently grey areas about how the EU will actually enforce a fine if a business appears to be in breach of the compliance. It is likely that not many businesses will meet the deadline and will be scrambling to get up to date.

We believe staying ahead of the game will allow more organised businesses to focus on growth during this time as other businesses catch up to regulation. It will be more important than ever to ensure you aren't caught in the process.

How can we simplify this?

As a small business, you could collect only the most necessary of data, for example data that you're required to collect and hold records of by law after a purchase.

Holding vast amounts of data without user permission is now too much of a burden, streamline your data collection and handling processes - only include what you require to run your business.

So what about my infrastructure?

Physical data will be held in hard copy, audio, visual and alphanumeric. i.e:

  • On Paper
  • Phone Records
  • Video
  • Held in server databases

You'll need:

  • Paper Filing System
  • IP phones for safe recording and management of data (with disclaimers for opting in to data handling)
  • If you have video you'll need express permission of the data subject to hold it and a place to securely store it! (DVR - Digital Video Recorder)
  • Adequately protected server databases to prevent data leaks

For wireless infrastructure, this means any captive portal or wireless device must have express permission to collect any personal data about the user through his/her device.

For wired infrastrucure it is advisable to have data servers behind a firewall with 802.1x and RADIUS security to minimise the risk of data loss or theft.

For cloud technologies, you will need to know that the cloud provider adheres to GDPR and have a process agreement in place for removal of data should your 'opt-in', suddenly become an 'opt-out' user.

Risk Assessment and Breaches

If you have a data breach, you'll have to report it within 72 hours of it happening.

Ignorance is not an excuse, fines of up to 20 million euros or 4% of your business annual turnover.

Internal awareness is a requirement and the appointment of a data protection officer is essential.

Collection of data for website analytics, email marketing and customer accounts all falls under the remit of 'data collection and processing', even for data you already keep.

Alerting systems and technology assisted monitoring can help you with tracking your data, there are many software solutions and checklists available.

In Conclusion

There's a lot of speculation on how the EU is going to enforce these regulations. Many smaller businesses will likely wonder how they're going to pull the infrastructure and funding together to become compliant.

There's 10 months to go from the date of this blog, the current guidelines on the appointment of a Data Protection Officer are quite 'wishy washy' according to some HR and Operations professionals. As long as businesses start making a plan now, there's every likelihood that they'll be ready by the time GDRP comes around.

For those smaller businesses that rely on having their email, phone and analytics to market to; it's a good idea to get full opt-ins from the consumer before the time comes where you must delete anything you don't have permission to use.

Here at Wifigear we sell CCTV DVR systems, IT hardware (switches, routers, wifi access points) and Cloud Wifi Solutions to help you on your way to compliance with the GDRP. Give us a call if you require assistance with these products!