As a leading provider of IT, ERP, Telephony and Cyber Security services to the small and mediums business (SMB) sector I get to speak to a lot of businesses about Information Security and Data Protection. Most businesses in this sector do not have dedicated information security and data protection professionals working for them so are reliant on other sources for guidance on these two really important topics.
When the General Data Protection Regulation (GDPR) came into force in May 2018 many specialist leaders took the approach of scaring businesses into working toward compliance; big fines even if you make the smallest mistakes. In practice, this hasn’t happened but over the last three years there have been two major myths that I repeatedly hear about GDPR which, today, I want to debunk:
“I am GDPR compliant because I have a really good IT system”
Businesses can employ the most sophisticated and up to date technical protections but this still does not make them compliant with the GDPR.
The GDPR doesn’t tell a business what security they should put into place; it just states that they must put the “appropriate technical and organisational measures” in place to protect their data. What the GDPR does list is a huge number of non-technical related things businesses should be doing with the data they hold. Since the GDPR was enforced, there have been a large number of fines which have been issued to businesses who have had “breaches” or who have broken the law. Only 22% of these have been related to technical/security measures – the remaining come from all other aspects of the GDPR.
Do not get me wrong, IT security is of the utmost importance, but it only plays a part in making sure your business is compliant. I like to think of IT security as the bouncer at the door of the nightclub – it is there to help protect your data but it cannot do everything for you.
“Our solution is GDPR compliant”
Unfortunately, I hear this a lot. A business is looking for a new product or service and the sales pitch includes this statement; just to be clear, this is very, very unlikely to be true.
My biggest bugbear with this particular line is that “GDPR compliant” is not a certification. It is often positioned as being a certificate a business holds for the product/service they are selling – this certification does not exist.
This line is often used in conjunction with the line “Our solution is GDPR compliant as we host your data in the UK/EU”. Just because your data is held in the UK/EU, it does not mean it is GDPR compliant. Most of the major technology providers in the world are not UK/EU based. You often get to choose where your data is stored, which is great, but as soon as you need support their teams are based worldwide. Your data will be processed outside of the UK/EU and therefore you have to make sure you have the correct contracts in place. One provider (not one of the big players) told me a few weeks ago that “if you wanted a contract which put extra protection in place then you should find another provider” – I chose not to work with that business!
Finally on this subject; “our service can make you GDPR compliant”. This is another myth. In my previous myth, the chart shows the breakdown of fines by the different supervisory authorities by the type of violation of the law. All but one of these are about what businesses do with their data; having your data in the “cloud” (for example) cannot excuse you from these other responsibilities.
Technology and IT security form a massive part of protecting your data but it is only one part in ensuring your business complies with the local data protection legislations. Speak to one of our team today who can help you with the appropriate technical measures to protect your business.