“Treat what you save with care”, is the mantra Paul van Noesel, Business Development Manager IT Security at Tech Data, shares with organisations. He is referring to the personal data businesses collect about customers and employees, because while data protection regulations have been around for several years, the expectation is there will be much heftier fines to be paid for violations from 25 May this year. Among other things, the regulation states that personal data may only be collected if it is necessary for the organisation’s intended purpose. Something that Paul van Noesel says we all need to think carefully about.
Thanks to the extensive media coverage, it’s impossible not to have noticed that since May 2016, all EU companies have been obliged to create an overview of which personal data is processed, why and with whom the data is shared. They are also obliged to notify the Autoriteit Persoonsgegevens (AP, Dutch data protection authorities) of any data leaks within 72 hours. The AP can then launch an enquiry into whether regulations were complied with within the organisation. Nothing new so far. What’s new is how it will be implemented, which will soon drastically change. Paul van Noesel: “Are you aware that you as an organisation are responsible for the protection of personal data you collect and process? There is a difference between standard personal data such as name and address and specific data such as ID numbers, religion and health. The data you are allowed to store by law depends on the industry you work in. If data should leak, you have to be able to show for what reason you have collected the data and the steps you took to protect it and IT security plays a crucial role in this. Make a note of the steps you will take in case of a data leak in your organisation.”
The European General Data Protection Regulation (EU GDPR) came into force in May 2016, superseding the Dutch law on data protection (Wet Bescherming Persoonsgegevens) which has been in place since 1996. Back then, companies didn’t really have that much (electronic) personal data and we didn’t really give a second thought when suddenly huge amounts of data were being collected. We’ve since found out how valuable electronic data is and also how easy it is to steal. The EU GDPR was developed to protect our privacy.
One important source of personal data comes from employees. “Generally speaking, businesses are very careful when it comes to protecting this data with agreements having been made. A limited number of people have access and these work in HR. There are, of course, vulnerabilities, such as sharing the data with occupational health and safety agencies. What do they get sent and how to they handle it? When forwarding personal data, for example in the event of illness, it’s important to know that you as a company remain responsible for it, which is why you should conclude a data processing agreement with the other party cover all bases.”
When it comes to customer data, you also need to think about what is being saved. We tend to save more then we need because it is practical, for example, a date of birth because we want to be able to send the customer a card on their birthday. Or gender. Above all, the new regulation wants us to think carefully about what we are doing. Everything that is saved can end up in the wrong hands which could potentially have some serious, unintended consequences, e.g. identity theft. We have to be careful with everything we save electronically.”
Taking a critical look at everything we save is one aspect, while protecting it is another. Whether your company is ready for the GDDPR is inextricably tied to IT security and thus also IT infrastructure. Paul van Noesel: “To give you an idea, when we analysed the GDPR we discovered that IT security was at the heart of 43 of the 99 sections and we wanted to be able to offer our customers a foundation on the road to GDPR compliance.
How do you know if you fulfil all GDPR requirements? This is why Bechtle has developed the Quickscan. Paul van Noesel: “The scan gives you an overview of the status quo in three areas: people, processes and technologies. In terms of technology, the scan takes a much more in depth look and provides concrete suggestions for turning your business into a fortress. Bechtle is on hand to help you through this process and provide you any other information you need regarding potential solutions. A final tip. Take things slowly so you don’t lose focus. Gain an insight into which personal data is where, how it is used and how it is protected. Start simple, go fast.”