With so much noise surrounding the issue of GDPR it's not a surprise that people are tuning out, which was highlighted by a report recently that showed nearly a quarter of UK SMEs have not yet begun to prepare for it yet.
It would seem some organisations are adopting a fingers crossed approach, hoping that if they ignore it, it might go away. With the deadline for the new regulations fast looming (it becomes law on 25 May 2018) and heavy fines of up to €20 million or 4% of global turnover for non compliance now is the time to take action.
Here are 7 steps which your organisation should undertake to work towards becoming GDPR compliant.
Step 1: Educate your organisation
It’s vital that you don’t leave the work of sorting out the regulations just to the IT department – everyone in the business needs to be made aware of the new rules surrounding data regulation. Coming into line with the rules will likely mean you will need to change the policy and keeping your whole team informed will ensure that the proper procedure is followed. An Information Officer should be appointed who is responsible for data within the organisation, however it requires boardroom level input to ensure that there is a coherent strategy across the whole organisation. If the knowledge does not exist within the organisation to create this plan then an outside specialist should be sought to formulate the plan.
Step 2. Update your policies and how you collect data
Once you have got to grips with what the regulation entails and audited and controlled your data across your organisation, you need to take a look at how you currently handle data.
You should consider what types of data that you currently collect from your customers and clients, and where this data is stored. With the new GDPR regulation, one rule is that customers have the right to ask businesses to erase their personal data. This means you must have the capability to do this – it may involve completely changing the method in which you store the data in the first place.
Step 3: Mitigate potential data breaches
One of the main reasons that GDPR has been brought in is to make businesses accountable for breaches and loss of data and the most likely reason that your business will be subject to a GDPR assessment is that it has suffered a data breach. This means that you need to ensure that your organisation has mitigated against the threat of a cyber security breach which includes a range of threats including, cyber fraud, cyber hack or insider threats such as employees leaving data unsecure.
Whilst cyber security is vital to GDPR, it is a topic all to itself to view more information on it in our recent blog, Steps to be Cyber Secure. If your organisation doesn’t have adequate protection it should speak to a cyber security specialist such as EBC Group.
Step 4: Determine your GDPR risk
Personally identifiable information (PII) is any data that could potentially identify a specific individual or distinguish one person from another. PII can be sensitive or non-sensitive. Sensitive PII is information which, when disclosed, could result in harm to the individual whose privacy has been breached. Sensitive PII should therefore be encrypted in transit and when data is at rest. Knowing what PII you have within your organisation and where it is located will enable you to determine what you might need to do.
- How complex is your organisational structure?
- How much data are each of these processing and what is the data used for?
- Was the necessary consent obtained from the individual?
- Where personal data is currently stored, and is it protected adequately?
- How many vendors are processing data on behalf of your organisation?
Step 5. Identify and secure data
The first step to securing your data is identifying and understanding what and where it is. EBC Group provide an Information Management solution which enables organisations to easily locate, process and move unstructured data from multiple sources across an organisation.
- Search for, identify and process PII across multiple sources, identifying where it is and what is it so it can be properly protected
- Run reports enabling you to understand what data is held within the organisation, including different departments, individuals and applications
- Recognise and cluster relevant data using Machine Learning Classification
- Provide reports and real-time dashboards of what information is held
- Show what is classified as personal data, identifies what it actually is and also what is no longer being used.
- Stay secure by having only the metadata enter the cloud, leaving your files to move directly and securely from the source to their target.
Step 6. Securely control or delete data
Once you have identified what data is PII your organisation needs to find an easy way to securely control it or delete it if it should no longer be kept. EBC Group's Information Management tool, M-files, easily integrates with an organisations existing systems and repositories in a manner where the data remains in place, in its original location, without disturbing existing systems and processes. This enables companies to continue to leverage their legacy systems while adding the powerful information management functionality needed to protect personal information and adhere to GDPR. M-Files provides a single viewpoint to all the critical information across your organisation wherever it is stored, in a way that is easy to find, analyse, control and audit. It can easily view and access data across the organisation without the need to move the original data which makes implementing it simple.
Once you have completed your initial audit have a system which will create automated workflows and permissions will make it much easier to stay compliant going forward.
Step 7. Proving your compliance
A critical aspect of GDPR compliance will be that your organisation can quickly and easily demonstrate the steps they have taken towards meeting GDPR requirements. It needs to be able to provide this information and supporting documentation to auditors if required. In the event of an audit or breach proving that your organisation has the correct data policies and can securely manage and can control the data it holds will be vital. Having an Information Management system in place with powerful audit and reporting capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to compliance requests, will make this a fast and simple process.
There are many things an organisation needs to do to make sure that their data is securely managing data and applying these steps will do so much more than just prepare you for legal changes. The whole point of the GDPR policy is to keep companies better protected and able to deal with breaches in security. Putting into place the right strategies and systems can keep your business secure for years to come.