Don’t get Zuckered! Staying secure and compliant post GDPR
After four years of preparation and debate, GDPR was approved, implemented and is now affecting how every single company does business with external parties. As EU citizens, we have the right to control our personal information and rightly so. If you are to process or store any such information, there are now watertight laws and regulations added on to every single thing you do that concerns the handling of data - a triumph for the EU.
The 25th of May seems long ago now but what has really changed since then? Could you wholeheartedly say that your company is completely safe in being compliant - that there are no grey areas? Could your CEO still be subjected to being hauled in front of a commission, facing a barrage of questions on why safeguards and protection processes were not in place or followed?
Unfortunately, it appears that there are businesses in the Irish market still not prepared for this seismic shift in data regulation. In a survey by TrustArc last month, 80% of companies in Ireland and the rest of the EU, are still not GDPR compliant. Only one in five (20%) companies surveyed, believe they are fully compliant with 53% still in the implementation phase.
Does this sound familiar?
If this sounds like you, don’t bury your head in the sand. Jump straight into action and acquire the help you need to address this compliance requirement.
Just as with all ‘e-conveniences’, email, mobiles and so on, compliance and data protection are necessary components of our digital age. By not implementing the protections required, you will be seen as negligent and significant penalties will certainly demonstrate the gravity and importance of these regulations.
So, how can you fix this?
Your first priority is to elicit help from the experts in this area. Understanding and identifying the data that needs to be compliant, the experts can help you shape the policies, processes and technologies needed to comply. Start with the basic concepts of Identify, Protect and Report.
If you’re using Microsoft Office 365 for example, you’ve already got these tools available for you.
- Data Subject Requests can be facilitated by scanning all Office 365 components for data related to any specific user.
- Use Content Search to find and export personal data.
- Automatically apply data classification and labelling to files containing personal information.
- Trigger disposition reviews to decide if personal data should be deleted after a certain retention.
- Establish security policies, monitoring and alerting to prevent, detect and respond to cyber threats.
- Being able to demonstrate your governance is key. eDiscovery results can be exported easily and presented in simple consumable formats.
- Detailed reports of assessment activities around technologies combined with your organization’s assessment information, can be provided to internal or external auditors and regulators.
You may need help with this.
You might have thought the hard part would be over once May 25th came and went, but there is a lot more to come. Examine your in-house processes. Take a further look into the data you are holding. Are you sure everything is how it should be? Be sure now or potentially suffer the consequences of a €20million fine that could be a catastrophic blow to your business.
These fundamental steps are your safeguards to demonstrating your compliance and co-operation with the new regulations. Consult with an organisation who can provide these services and package them together to make your adjustment that much easier. There is no time left - actions need to be taken and it needs to be with a partner you can trust to deliver. Make sure you trust the right one.