Preparing for the General Data Protection Regulation
There is going to be a great deal of work that many of you will need to do, to comply with the forthcoming EU General Data Protection Regulation. Of course, in reality, you should already have good systems and procedures in place to ensure the security of the data you hold and have strong security in place to help prevent disclosure of that information to unauthorised users and hackers.
But most of you don’t.
So let’s start the process by giving you some background information:
This is a useful ‘getting started’ guide produced by the Information Commissioners’ Office.
Here’s what you can expect in greater liability exposure with the GDPR.
- The GDPR significantly adds to the protections for EU data subjects afforded by the existing EU Data Protection Directive, which it will replace, while authorizing record-level fines for non-compliance up to a maximum of 20,000,000 EUR or 4 percent annual global revenue of the preceding financial year, whichever is higher, for certain violations, and up to half those amounts for other violations.
- Under Article 32, both controllers and processors are required to “implement appropriate technical and organizational measures” considering “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
- The GDPR makes personal data controllers liable for the actions of their processors and responsible for compliance with the regulation’s personal data processing principles. Consequently, just as data controllers will be looking to make changes to become compliant before the regulation’s effective date, so too will they need their data processors to demonstrate compliance.
How might this impact Filemaker users?
This section is going to expand over the next few months but let’s start with some basics.
Do you know who is logging in to your system? Can you see any unauthorised logins? No? Do you actually have a login system for your databases?
Have you set up your security so that only relevant information is presented to each user? After all, you don’t need to expose all of your data to every user do you?
- Is everything that a user does logged in Filemaker? No? So how are you going to tell who did what?
- Have you taken reasonable steps to ensure the data cannot be exported or copied?
- If you really really must store payment details, is it encrypted and hidden from users, except when required?
- Is your database accessible from the Internet? What security precautions have you taken and how do you monitor remote logins?
- Do you keep Filemaker and any associated files and scripts up to date?
- Do you regularly test your security?
- Have you ever tried to actually restore from a backup? And how secure are your backups? Who has access to them?
- Have you installed a SSL Certificate?
- Are your FileMaker files encrypted?
- Do you remove email addresses when people ask to be removed from lists?
- Do you store the IP address of all signups to help prove you are compliant?
Looks like the first wave of problems is starting to appear: