3 months to go – are you ready for GDPR?

By 26th February 2018Blogs

Just 3 months to go until GDPR…are you ready?

With just three months to go before the General Data Protection Regulations (GDPR) come into effect on 25th May, we’re having a “spring clean” of our data and business processes in order to comply – are you?

Here’s our top tips to help you get ready for GDPR:

Find out where all your data is stored.

From employee information, to contact details for suppliers and clients, you’ll probably be surprised to find out how many places your business is storing data – we certainly were!

Whether it’s filed away on network folders, stashed in the Cloud, left forgotten in some marketing platform, or just one of the hundreds of spreadsheets and CSV files that were shared around via email with partners and suppliers, this data is often inadvertently left exposed – and possibly unprotected.

We did an audit of our own data, and quickly found more than 35 companies, systems and places storing our data – all outside our network.  Some of them were legacy systems we’re no longer using, and had forgotten about.  And we’re a small company, so imagine how that’s going to be magnified for larger organisations.

Focus on the data, not the network.  It’s GDPR, not GNPR.

Much of the attention around GDPR to date has – rightly – been focused on network security, and trying to stop data breaches in the first place.  But GDPR isn’t about protecting your network, it’s about protecting your data – it’s called the General Data Protection Regulation, not the General Network Protection Regulation, after all.

If your company’s data gets hacked or leaked by someone else – a client, a supplier, or an ex-employee who’s walked off with a USB stick, you’ll need to find it quickly and mitigate the breach before your data falls in the hands of the bad guys.

Most businesses we talk to haven’t even thought about looking for their data “outside the perimeter” – they’re probably the ones who risk finding out about their data breach on the BBC, perhaps followed up by a stern letter (or worse) from the ICO.

So, please make sure you’re protecting your data – not just your network.

Watermark and fingerprint your data

One of the simplest steps you can take to protect your data is to add a few fake entries, which can act as “watermarks”.  Just invent a plausible-sounding person, perhaps register them an email address, and add them to your CRM system, website login, internal client list, or whatever.

That way, if you ever see that person’s details being posted online, you know your data may have been compromised – maybe not by you, but by a client or partner who’s had access to that data, and has inadvertently lost it.

So, if your data is breached, where does your data end up?

At this point, we’d traditionally start scaremongering about how all that stolen data is being sold by cybercriminals on the “Dark Web” – and you’d probably stop reading.

The dull reality, of course, is that the vast majority of that data will probably lie undisturbed for many years in some corner of a hard disk, until it gets deleted or scrapped – without anyone ever knowing about it.

But of course there’s also a chance that some of it may get leaked or hacked.

Whether it’s by an ex-employee with a grudge who wants to publish an embarrassing corporate email chain, some former marketing consultant assembling a contact list from his previous clients, or an automated script trying to harvest credentials from some far-off country, there’s a risk that some of your data does eventually make it into the wild.

And the go-to places for this sort of data exchange are the dump and file sharing sites forming part of the “Dark Web” – a loose term describing the hidden parts of the internet not indexed by conventional search engines like Google or Bing.

Traditionally a network for illegal activities like the sale of weaponry and drugs, the Dark Web is increasingly becoming a marketplace for something much more valuable: your data. This includes employee email addresses, credit card details and company login information. The challenge, however, lies in detecting your information once it’s been stolen, leaked or hacked – particularly if the data came from one of your clients, partners, or employees.

How would you find out if one of your customers got hacked?

Turns out, it can be surprisingly easy to keep track of your data.   In addition to watermarking your databases, automated tools (like our amazing – and highly affordable – BreachAlert platform) can be set up in minutes, keeping watch out for your data appearing “outside the perimeter” – just like having CCTV or a security guard protecting buildings and car parks.

To find out more, why not take a look at our white paper, or watch our 60-second video ? Then we’d suggest you get out the feather duster, pop on an apron, and start spring cleaning your data – you’ve got just 62 working days before GDPR comes into force.