What is GDPR?

The General Data Protection Regulation (GDPR) is a strict set of EU regulations that governs how data should be protected for EU citizens. It affects organizations that have EU-based customers, even if they’re not based in the EU themselves. The GDPR was initially approved by the European Parliament in April 2016 and finally came into effect on the 25th May 2018.

Explaining What the GDPR Is

The GDPR is essentially a set of rules designed to give EU citizens control over the data that is collected on them by organizations regardless of if they’re based in the EU or not. In the process, it also aims to simplify the regulations that are imposed on these companies so that it’s clearer and easier to comply with.

Should a company fail to comply with the GDPR, it can result in fines of up to €20 million euros or four percent of a company’s annual turnover, whichever is higher, if they are found to infringe on the data rights of their customers. The maximum fine is also issued to companies that are found to be involved in unauthorized transfers of personal data and also failing to give their customers access to their data if requested. Smaller fines are handed to companies that fail to report data breaches or fail to build systems that are designed to protect customer data, but these can still range in the millions.

As you can see, the GDPR is not something to be avoided especially if you have a lot of customers in the EU. If you don’t comply with the GDPR then your business, regardless if it’s a store, website or generally anything that processes or saves data, cannot operate in the EU. If your company is already active then you should not open your business to EU residents until you have ensured that your systems are protecting your users. However, if your business is still in the planning stages, then it’s important that you consider the different ways in which you can protect your EU-based customers.

Understanding What Data You Collect

If you want to be smart about how you implement the GDPR then you need to understand why you’re actually collecting information and how you plan to use it. You can start by asking your team what information is collected and identify the uses for that data. Identify the various types of data you have and how it’s related to your business, then remove anything that isn’t related to your business or serves no real purpose. A couple of questions to ask include who you collect data on, how it’s collected and what data is collected. It’s also important to consider why you’re collecting the data and value the types of data that you believe are most useful for your business.

Basic Cyber Security Practices

Standard cybersecurity practices such as ensuring you have a firewall installed and configuring it correctly should be the basis of your data protection strategy. You should also consider antivirus countermeasures should a threat be introduced to your network through external storage media such as a USB drive. The quicker you can stop the spread of a virus, the sooner you can contain the threat and deal with so that it does not affect or steal your user data. These basic cybersecurity practices should form the foundation of your GDPR compliance strategy and cannot be ignored if you want to be accessible to EU-based customers.

Have Protocols in Place for Data Breaches

A data breach is never a good sign for your security team, but it’s essential that you focus on reporting the breach and understanding why it happened so that you can report it to the GDPR authorities. This means that you should have measures in place to detect, investigate and finally report on a data breach. This will include how it happened, why it happened, how you plan to investigate, what your investigation found and then compiling it into a comprehensive document that you can present. By setting up a protocol that your employees are aware of, you can quickly and easily compile information regarding the data breach so that you can fix the issue and also report it to the GDPR.

Identifying Risks and Preparing Countermeasures

It’s vital that you identify the risks that your network may be exposed to. For instance, your firewall may be robust enough to prevent the odd attack, but it may not be powerful enough to withstand a denial of service attack. DDoS attacks are a huge threat to personal data and can easily overwhelm smaller network defenses, especially if they are not updated or configured properly. If a DDoS attack manages to bring down certain network security systems, then it could expose your entire network and the attackers will have free reign over the personal data that you’ve stored.

Increase Awareness Regarding GDPR

It’s also important that you inform your staff about the GDPR and how to stay compliant. This is to ensure that they take extra precautions when it comes to security and how they manage customer-related data, and it should also help them enforce the security protocols that you have established. This may include notifying your network specialists and chief information security officers about potential data breaches and anomalies within the network that could be a cause for concern.

Updating Customers About the GDPR

As per the GDPR, you also need to let your customers know that you’re collecting information from them and also let them know when you’re doing it. Your privacy policy should be updated to reflect this and you should also have a notice on your website that let your customers know about your compliance with the GDPR so that they can request the data you have stored on them. With a privacy policy on your website, you’re letting your customers know that you take data protection seriously and that you vow to comply with the GDPR to offer them a safer and more secure experience when using your services.

More Reading

SIEM as a Service

What is SIEM-as-a-Service? (A Guide To Managed SIEM Service)

In today’s changing technological and economic landscapes, cybersecurity has never been more important. But how do you keep your organization’s information secure while maintaining compliance? SIEM-as-a-Service might be the answer. …

What is SIEM-as-a-Service? (A Guide To Managed SIEM Service) Read More »

SIEM-as-a-Service vs. SIEM On-Prem: Pros & Cons

Security Information Event Management, or SIEM-as-a-Service, technology is a crucial part of any organization’s cybersecurity strategy. But should you install your SIEM tools on-prem? Or should you rely on a …

SIEM-as-a-Service vs. SIEM On-Prem: Pros & Cons Read More »

Managed SIEM Service: Do I Get My Data?

SIEM tools can be a crucial part of securing your organization’s network. And a managed SIEM service can be an efficient and affordable way to utilize SIEM security. But here’s …

Managed SIEM Service: Do I Get My Data? Read More »

Managed SIEM Services

How Mature Is Your Managed SIEM Service?

Here’s a little trick to help you determine whether your managed SIEM is a mature solution: ask your service provider what the ‘M’ in SIEM stands for. What you may …

How Mature Is Your Managed SIEM Service? Read More »

About the Author

Jason Miller

Jason Miller

Jason is a Chief Executive Officer of BitLyft Cyber Security. He has spent the last 19 years of his career focusing on network, system administration, and cloud technologies. He is passionate about helping businesses embrace the next generation of technology including cloud adoption and high performance scaling software.
Scroll to Top