Security Guide - GDPR non-compliance

What is the cost of not being GDPR compliant?

The collection, storage and use of customers’ data has just become much more challenging, as a result of the EU’s General Data Protection Regulation (GDPR), which aims to give individuals back ownership and control of their personal information.

What’s at stake?

Retailers and hospitality companies that breach GDPR regulation face graded penalties depending on the severity of the case. The maximum fine is 4% of their annual global turnover, or €20 million, whichever is the highest. Less serious violations, such as having improper records, or failing to notify of any cyber security incidents, can attract a maximum fine of 2% of annual global turnover, or €10 million.

Ensure you are GDPR compliant

1. Create a comprehensive data log: Companies need to create one clear and comprehensive log of all the data they hold, including details of where it is stored. This includes understanding the systems used to store and process data, and how these systems work together.

2. Improve security and create a data breach plan: Under GDPR, you must notify affected customers within 72 hours of a data breach. You must also be able to explain what happened, why, the risks customers have been exposed to and the next steps. This makes an effective, well-rehearsed data breach plan essential.

3. Review current processes used to obtain consent: GDPR requires all companies to gain unambiguous, active, and explicit consent for the use of customers’ personal data. You also need to explain in simple language what data you have collected and what you use it for. Retailers and hospitality companies cannot use the data for any other purpose than has been agreed with the customer.

4. Create processes allowing customers to access and download their data: Under GDPR, customers have the right to access, export and transfer their personal data if they wish (also known as data accessibility and data portability). In practice, this means companies must create processes that enable customers to download their own data within 30 days of a request.

5. Review all third-party contracts: Companies are likely to work with vendors or other third-party partners who act as data processors. Under GDPR, companies are accountable for how data is processed and used, but in the case of a data breach or misuse, retailer or hospitality organisation and vendor share the liability. This means that companies can still be fully liable if their data processor partners suffer data breach or misuse. It is the retailer’s responsibility to clearly set out how the vendor should use the data, so you need to set out clear and comprehensive guidelines on data use for any third party. You should also review all the contracts they hold with these partners to ensure there are no accountability ambiguities.


What Vodat can do for you

In support of your employee cyber security education, we can set up alerts reminding your staff of your acceptable internet use policy and also remind them not to use insecure Wi-Fi networks before they attempt to log on to public networks.