4 Steps to GDPR Compliancy
GDPR is less than 288 days away and it's starting to get the attention of executives in companies.Read The Article
GDPR is less than 288 days away and it's starting to get the attention of executives in companies. But why do they care now? There have been lots of directives before.
The key difference is this is no longer a directive which a country can opt into. GDPR is a regulation each country must obey. It also has large repercussions for companies who are non-compliant. Fines such as 4% of global turnover or €20 million (whichever is biggest). That’s a lot of money in anyone’s books.
Here are some simple steps an organisation can take to ensure they are compliant:
Find out all the data you hold on consumers and staff and where it is located. You need to engage with as many stakeholders and departments as possible and see if IT have the data discovery tools to assist you.
Define all the data you gather – why is it needed, how sensitive it is, do you have the legal authority to keep it? If you do not have the legal authority to keep the data remove it.
Categorise the data into personal data items and then rank in accordance of importance. Discover who currently manages and had access to the data.
Put in place a clear legal basis for processing and ensure all have processes have clearly defined privacy notifications set that you clearly communicate to your entire organisation. In the lead up to 18th May it is important that you test all of your processes with use case scenarios to ensure they work.
The processes should also include a clear reporting process so that data is readily available and presentable in a standard format.
You should also ensure all data is encrypted so that it is of no use to anyone that may steal it. Ensure to encrypt all storage and ensure that you have a full record of all the places this data can be found, be it in storage tapes, cloud, databases or paper. If it's been accessed by systems, ensure they are noted centrally for easy reporting.
IT departments exist for a reason. They need to be at the core of an organisation. Shadow IT is something that flies in the face of the centralised compliance approach of GDPR. IT need to be the gateway through which all data flows and all systems are protected to prevent data breaches. If you scan the systems and find vulnerabilities, fix them as soon as possible.
If you develop your own software, use the OWASP tools to scan your code. If it finds vulnerabilities, share this data with the rest of the IT Team as other systems may also have the same risks yet to be detected.
All companies must also appoint a Data Protection Officer (DPO) who is responsible for the overall compliance of the organisation. Aside from the DPO, it is imperative that all of your employees are educated in GDPR and have been trained on the processes. You should also include then in the test scenarios. It is also important that you communicate with service users to ensure both of you are fully informed about how they use data.
If there is a breach, ensure that you inform the affected users as soon as possible and that the GDPR breach is reported to the regulator within 72 hours max.
It’s all well and good to do this as a once off effort, but each of the points above will need to be carried out on an ongoing basis. Keep analysing your data in the chance someone has created fields or data that could compromise your GDPR compliance. This ensures you stay compliant and will reduce the overall risk for your business.
Following these quick steps will greatly help you get ready for the GDPR regulation and keep the risk of a debilitating fine less likely.
In my last blog (8 Steps to Increase User Adoption of Office 365), I outlined the steps involved in succeeding in taking...Read now
To run a business, one must make decisions. To run a good business, one must make good decisions. To run...Read now