The amount of information, comment, and opinion currently being produced around the new General Data Protection Regulation (GDPR) is vast, and it’s easy to see why. With its vast scope and potentially devastating financial penalties, this new legislation has got many worried all over the world. Unfortunately, there are plenty of rumours and misconceptions out there about the new laws that if believed could confuse, or even ruin, many in the relocations industry. This week Global Mobility Insider takes a look at five of the most prominent misconceptions we’ve seen, any when they’re not quite right.
GDPR is a set of regulations around the topic of data protection, and as such, many seem to think that the rules are only going to apply to data companies. Unfortunately for many of us, however, the year is 2018, and every company is a data company whether they want to be or not.
Although the holding of clients’ personal data is the norm in the global mobility industry, what many forget about is the personal data we hold about our employees. The GDPR applies to any personal data for any European citizen, or person residing in Europe. This means that employees, shareholders and suppliers are all covered by the legislation, and you are required to protect their data appropriately.
As previously mentioned, the GDPR rules on the processing of personal data apply to any company working in Europe or with European citizens. Therefore, businesses outside of Europe are required to provide the same level of security for the data of Europeans, even though they are not located within the original jurisdiction.
This substantial global reach is being extended even further as other countries follow the European Union’s (EU’s) lead and are writing similar regulations into their own laws. This uptake of the new data protection guidelines is primarily to remove potential trade barriers for businesses operating across borders but also acts to improve data security worldwide.
We have discussed the many problems GDPR may cause to emailing previous on the Global Mobility Insider, although we have seen other sauces now begin to misunderstand these difficulties, and believe that the sharing of client data via email will be illegal. Although there are many risks to be associated with the unsecured sharing of private data via email under GDPR, this commonly used method is still legal, any may be appropriate for smaller companies.
Issues arise when medium and large businesses begin to rely on the email sharing of documents for their day-to-day activities. In these situations when multiple accounts are being managed and collaborated on it is easy for personal information to be mis-shared, and for a data, breach to occur. For this reason, it is preferable that larger organisations move away from these types of workflow, and towards more secure and integrated systems.
As businesses prepare for GDPR, a common and wise step many are taken is to upgrade their IT platforms in nearly all areas. From purpose-built project management tools to data warehousing solutions, there are now a wide variety of technology suppliers who are focused on being GDPR compliant and can provide the same for their customers.
Too many misunderstand these software solutions however and believe that because their IT provider is compliant, so are they. All aspects of your business must be obedient, and your technology providers only account for a part of this. Internal data audits are necessary to discover and understand the scope of personal data in all areas of business, not just on computers. You must keep records of processing activities and maintain control over the flow of information throughout your organisation.
True protection against outside malicious threats must take a multi-layer approach, and have quality and up-to-date antivirus protection is just a small part. Antivirus software relies on known viruses and malware and is only updated periodically one a malicious code has been discovered, unpacked, and understood by cybersecurity experts. If you look at many of the large data breaches from the past decade, they often take months, if not more than a year to discover.
Therefore, it is vital that staff are adequately trained to effectively monitor, detect and respond to data breaches before they can become a significant problem. It is also essential to remember that the weakest link in security systems will always be the humans that use them. Staff need to be able to recognise potential attempts to circumvent and compromise company security protocols and act accordingly.