Time is ticking to ensure your business is ready for General Data Protection Regulation (GDPR), coming into practice on May 25th. With just 50 days to go until the new legislation affects you, have you nailed these five key areas?
1. Creating awareness
You may be fully informed on the changes that have and will be taking place to ensure your business is GDPR compliant, but just how well-versed are the rest of your organisation?
By carrying out regular training and clearly informing staff on how and where to safely store and share data, you can demonstrate GDPR compliance. Hands-on training will also provide employees with more awareness of their responsibility, which, in turn will encourage proactivity in protecting against potential cyber attacks.
Awareness among staff is essential to making sure your company does not find itself on the wrong side of the law.
2. Checking processes
Have you accurately highlighted each and every process that deals with personal data? And are you sure they all now meet individuals’ new rights under GDPR?
Processes must align with the following eight rights included in GDPR:
1. The right to be informed;
2. The right of access;
3. The right to rectification;
4. The right to erasure;
5. The right to restrict processing;
6. The right to data portability;
7. The right to object; and
8. The right to not to be subject to automated decision-making including profiling.
Now is the ideal time to check what procedures you have in place and if it is straightforward to detect and delete data. It is likely all internal processes will need significant enhancements in order to meet the above criteria.
3. Assigning responsibility
GDPR will require you to appoint a Data Protection Officer (DPO) if you are a public authority or business that processes a large amount of specific categories of personal data.
Article 37 in the GDPR explains this can be a current member of staff, though they need to be permitted to work independently and shouldn’t have other responsibilities that clash with their DPO role. Alternatively, a DPO can be externally recruited. They should be selected based on their professional qualities, specifically, their ‘expert knowledge of data protection law and practices’.
The appointed DPO will provide guidance and practical advice, explain necessary processes, and put safeguards in place to prevent companies falling foul of GDPR.
This is an essential component of your preparation, as a DPO can be seen to play a key role in your organisation’s data protection governance structure and help improve accountability.
4. Locating data
Most businesses have data stored in multiple locations, and may even have data stored in places they are unaware of. Have you ensured that all of this is accounted for?
By data mapping you can identify this information and how it moves from one location to another, such as from suppliers and sub-suppliers, to customers.
This will help enable you to review the most effective way of processing data and identify any unforeseen or unintended uses.
A data map should identify the following key elements:
Data items (e.g. names, email addresses)
Formats (e.g. hard copy forms, online data entry)
Transfer methods (e.g. post, telephone, internal/external)
Locations (e.g. offices, cloud, third parties)
It should also show who has access to the data at any given time and who is accountable for it.
5. Deploying the right technology
Are you in an organisation that is just about surviving on ageing and/or undocumented IT operations? Do you really have the right technology in place? Organisations must implement appropriate technical and organisational measures that support data protection principles. Many businesses will need to invest in new technology, such as data encryption and storage.
It is time to make a decision on what technologies to invest in to increase the chances of being compliant by the 2018 deadline.
SCC provides a wide range of IT services to help you manage your data, including IT security. We are relied upon to deploy industry-leading tools to help protect and mitigate against risks posed.