Regulations are just the start
As you read this we are five days into the new world of the General Data Protection Regulations (GDPR).
It is here whether we are ready or not, and many columnists suggest that we are not.
There has been significant media coverage regarding the dawn of this new era and I fear many people are already “greyed out” on the topic, indeed, many may have stopped reading this article after the first sentence!
By now, businesses holding personal data of others, even as basic as name, address and email address, should have considered how they are going to hold and use that data and sought consent.
Now that GDPR has been implemented, we are not at the end of the journey, but the beginning. From this point, any unauthorised disclosure or access to personal data has to be reported to the Information Commissioners Office (ICO) within 72 hours.
As part of a data breach, it will be necessary to understand how this has happened and who has been affected, such guidance along with repair and restoration of systems will no doubt not come cheaply.
In many of my discussions with businesses they are dismissive of the risk, with primary reasons cited being that criminals will not be interested in them or that their IT professionals ensure that their systems are fully protected.
We must not forget that criminals are targeting a random IP address that relates to a business, not the business itself, so “interest” in a business is not relevant and even with the most robust and sophisticated IT system there is nothing that protects from accidentally sending an email to the wrong person containing sensitive data.