EU General Data Protection Regulation (GDPR) is looming large on the corporate agenda for organisations of all sizes, scales and sectors.
GDPR is regarded as the most important change in data privacy regulations for over two decades – and as you are no doubt aware, organisations who fall short of the regulations after 25th May 2018 could face fines of up to €20 million or 4% of their annual global turnover, whichever is higher.
As that deadline draws closer, there is an increasing amount of confusion and sense of panic about what GDPR really means and how to start becoming compliant.
In a nutshell, GDPR is about how data is captured, transformed, held and destroyed and, as you might imagine, preparing for the change is not a simple process. Given the varying structures, sizes and scales of organisations in the EU, there is no ‘one size fits all’ approach.
To get your GDPR process moving, if you haven’t already, Peter McCready, CTO at P2V Systems has identified three core areas to explore that will help set your organisation on that journey.
1) Understand the data you collect and process
First up, you need to analyse all the data (particularly personal and sensitive data) you collect and house and the policies you have in place around this. Consider if you have appropriate justification for processing the data and look at your data lifecycle in terms of how long you need to retain the data for. Often companies are simply unaware of the sheer scale of data within their ownership. If data is well managed it will help with mandatory processes such as Subject Access Requests (SARs) where an individual can request to see all the information your company holds on them or exercise their Right to be Forgotten.
A thorough audit is an essential starting point to understanding the data you collect and process.
2) Ensure you have appropriate governance mechanisms in place
Next, review your organisation’s policies and procedures in relation to data management. Do you have the personnel in place to deal with GDPR and do your employees understand what is expected of them? Any EU citizen may ask you to show all data you hold pertaining to them within 30 days – are you positioned to deal with these requests?
Some important questions to ask are: What are your data protection and retention policies? After how long is your data deleted? Do you have processes in place to ensure data is securely deleted after it is no longer needed? Do you have a plan with a clear set of actions to follow in the event of a data breach?
Key policies that should be documented and implemented include an Information Security Policy, Data Protection Policy and an Incident Response Plan. These will help you answer the questions above and inform what needs to happen with personal data within your business.
3) Implement data security mechanisms to protect your personal data
Think about your solutions and services – what protection and preventative measures against attack and threats are in place within your business? For example, you may have antivirus, patching and firewalls in place, but are they appropriately configured and do you have sufficient management and review processes in place for them? Encryption of data, at rest or in transit, is an important tool to protect against data breaches, consider the possible areas you can use this to bolster your defences.
Review your operational procedures to ensure that you have full visibility over what is happening within your IT environment. For example, are you confident that only people who should have access to your systems have access? Do they have the appropriate level of permissions? And do you have a full audit trail for who is accessing your systems?
Don’t bury your head in the sand – be proactive!
Unfortunately, the nature of IT and information security in the modern world is that you will never be 100% protected, however by following the three steps above you will be on the right path to significantly mitigating the risk of data breach and ensure compliance with the GDPR. It’s a case of finding the right balance of policy, processes and technology that work for your business based on the data you process.
Regardless of your budget or resource, you must have a pro-active approach to tackling compliance. P2V Systems offers an audit process, information workshop and online compliance training consultancy approach to GDPR. Whether you need advice, or technical support, one thing is for certain, technology will be central to getting your organisation up to speed.
A final and most crucial piece of advice is – don’t keep your head in the sand. Being unaware or uncertain about your responsibilities will not matter if your organisation is found to be uncompliant.