Get Compliant. Stay Compliant. 6 ways to stay GDPR proof, 6 months on
More and more, we have been hearing about companies who are not yet fully compliant with GDPR. In the latest annual CIO survey, KPMG spoke to 3,958 tech execs for their latest annual CIO survey with the worrying number of respondents saying in April that they expected not to meet the already lapsed May 25 deadline. These execs are working at organisations with a combined security spend of up to US$46 billion. The biggest reason they named for not being compliant? The complexity of the regulation itself. GDPR is not easy, that’s a fact. But can you let the complexity of new process implementation be the reason you potentially get fined €20 million or 4% of your global turnover? The complexity doesn’t have to win. Follow the following 6 best practices for getting and keeping your data compliant and let GDPR be a past worry:
1. Keep your data registry clean
Data is everywhere in organisations. From the visitor’s book in reception, to the list of kid’s names for the annual Christmas fun day. Passport copies are often held on shared drives to meet
If you keep the focus of the business analyst team on discovering personal data and the processes for handling it, then you have the majority of what is needed for entries into the data registry.
The difficulty is having an open mind as to where personal data is stored. Your GDPR consultants will have this knowledge. Here are some examples we find that an expert in GDPR is more likely to discover
- The visitors sign in book at reception
- A waiting list for procedures in a hospital
- CCTV footage of customers in your business
- Scans of passports for KYC checks
- Family and next of kin data, held for HR or social reasons
- CV’s of people in email trails or attached to calendar invite
- Citizenship data for travel or visas
These are all areas where personal data is being kept, yet would not be that obvious to most. 52% of all data stored by organisations, according to a Veritas study, would be these non-obvious categories.
If you don’t know what data you hold, where it is and who has access to it, you are in breach of the GDPR. Mid-sized SME’s must keep auditable records of all processing of personal data, but without a detailed description of the processes that this data is managed by, it will be hard for any organisation to prove compliance under this principle of accountability.
2. The tools to aid you are there
You need to note the security of the systems that process personal data, and ensure you have adequate and state of the art technology in place to protect it, at all times. The hackers, from which you are protecting your data against, will be using the latest hacking tools as they come available.
There are several tools on the market which allow you to document and map your data processes and add these processes to your enterprise architecture documentation if you have such systems. GDPR promotes the use of a data registry for gathering basic information on data processes. The data registry will be the basis of how you need to audit your data processes and the data that flows through your organisations. With the right data management policies and processes, it is easier to comply with the GDPR.
3. Keep watch of the dark data
As mentioned above, if you integrate the correct technical tools into your data processes, you can also use tools to discover the more concealed data. These tools can discover the content, location and security controls of the data. Most businesses don’t know where this dark data resides, but it costs money to store and it can also attract a regulation breach and associated fines. Use the tools to delete data you don’t need and put in place the policies and procedures that will prevent the problem of unnecessary data gathering from reoccurring.
4. Establish processes to quickly adhere to data subject requests
Under the GDPR, each individual, aka Data Subject, within the EU will get new and improved rights around the management of their personal data. For example, each data subject has the right to have a copy of all the personal data that you hold on them, the right to have this data forgotten and deleted or to correct any errors in the data, to have its processing restricted, or request a copy of their personal data to take to another organisation. These requests must be fulfilled within a maximum of 30 days from the initial request. These timelines may look achievable, but there are many considerations
- The amount of personal data that many organisations hold on individuals
- The time it takes to consider the legality of the request
- Proving the individual is who they say they are
- Retrieving the data in all its different formats, from numerous systems
- Reading it while focusing on just the personal data
- Considering what data can be held back for other legal or commercial considerations
- Gaining any compliance approvals
5. Establish the correct practices to meet timelines
To meet the data subject requests, you will need to put in place the processes to quickly pass the personal data you can discover and forward this to a compliance expert for review. You need to ensure the company has a consistent process and it is not left to individual departments to come up with their own styles of approach.
You need to create procedures to ensure the personal data is:
- Disclosed correctly as part of the data subject request
- Deleted when a right to be forgotten request arrives
- Corrected if needed by the data subject
- Exportable to a data subject if they want to port to another company
- Put in place Restrictions in electronic processes if they data subject objections to the processing
All of the above need to also be stored in auditable logs so that you can prove to the data commissioner on request, if asked.
6. Invest in the right technology and security
The integrity and confidentiality principle in the GDPR requires that personal data be protected from loss, damage and destruction. It is therefore critical to make sure that the data is backed up securely, so you can recover it and that any data you remove from systems, is also removed from backups and redundant systems. This would also cover the secure destruction or wiping of hard drives, USB devices, scanners and print devices.
There are numerous ways data can exit a company and often the simplest ways are via tools on individuals desktops or multi-function printers that are not normally restricted.
Even if you have already completed your data discovery phase, employees in your company will constantly be refreshing and adding new data to the business. This needs to be looked at regularly, as new (or indeed old) personal data can scattered across multiple devices, cloud tools, network shares, personal mobile devices and backup systems.
So what's next?
Even though the deadline day has come and gone, businesses are still scrambling to ensure that the data regulator doesn’t come knocking at their door. Just because it’s not all over every news outlet and social media channel anymore doesn’t mean that GDPR is not still an issue. If you haven’t made sure every single one of your processes is transparent and efficient, you will suffer at some stage. Follow these 6 steps regularly and thoroughly and you will ensure that your data is protected, compliant and your company will not be hit with a hefty fine. If what the survey says is true, and complexity is holding you back. Speak to an expert like Ergo. Use their services. What have you got to lose? A lot.