Data protection: Putting GDPR into practice

The EU’s long-awaited data protection reform is set to come into effect at the end of the year, but awareness of the GDPR and its potential impact still seems to be lacking. Ipswitch carried out a survey of EU-based IT professionals earlier in the year, looking to uncover what is known about the reform and its effect.

The results were cause for concern: more than half (52 per cent) of respondents said that they weren’t ready for GDPR to be implemented, and even more worrying were the 35 per cent that admitted not even knowing if their IT infrastructure was up to scratch.

So maybe it’s time to stop trying to understand the specifics of the reform, and the exact wording of each initiative put forward? For many business owners, specifically SMEs, this is far less useful than knowing what concretely should be done to prepare for GDPR, and how to operate within its parameters once it is rolled out.

Broken down by technology, people and company culture, here are some easy-to-follow starting points to ensure you are prepared for data reform when it lands.

Process and technology

  • Have a system to remove personally identifiable information: Businesses can now be asked to remove information on file that could be traced back to the individual it was taking from. This information needs to be replaced with a random ID key, meaning that all data can be classed as pseudonymous. As well as providing an extra layer of security to the data, this can now be actively used to gain insights – but only if a business has a controlled and organised data system. This should be one of the first things any business does to comply with GDPR.
  • Monitor your data retention: The period in which you are allowed to retain this data – pseudonymous or not – will be subject to new scrutiny under the GDPR. This time needs to be relayed to those it has been collected from upfront – and further mandatory sanctions on retention may come into play moving forward. Make sure that this information is easily accessible by customers and those that have provided data, keeping them informed on just how long you will retain information about them.
  • Have a system in place to deal with minors: The message here is very straightforward - data analytics should never include those below the age of consent. The repercussions for this happening are set to be severe, so it’s vital to make sure that you have a separate way of dealing with the data of those under this threshold. Ensure that this is still a secure and well thought through system, avoiding any kind of analytics entirely.

People

  • Hire a Data Protection Officer: This role is set to become more vital than ever once GDPR reforms are rolled out, with member states given the power to make the role permanent. There is also talk of multi-national companies having to provide somebody in this role regardless of member state approval. Although this may not be mandatory at the moment for all companies, serious consideration should be given to appointing a Data Protection Officer regardless. An experienced eye that can oversee your data processes could prove a vital resource in keeping compliant with GDPR reforms once they are rolled out.
  • Educate your employees: That being said, implementing someone to oversee data protection does not mean that the box is ticked. Educating and summarising what needs to be implemented should take place throughout your workforce. It can only take one oversight to land your business in hot water, and with fines ranging up to €1,000,000, education is just as important as technology and process when it comes to compliance.

Company Culture

  • Transparency: Transparency can be implemented in many forms, but essentially boils down to the availability of the data that you store and its capacity to be manipulated. The right to be erased is a significant part of the GDPR reforms; those that have supplied the data can ask for this to be removed from your systems if they feel it is being used in a way that they are not happy with. So your data set needs to be accessible, enabling you to erase information as needed and remove the aforementioned personally identifiable information whilst retaining security and control. Being honest with customers about how there data is going to be used can also stop these removal situations before they occur.
  • Don’t just be legal, be ethical: The difference between “can” and “should” is one that needs to be paid particular attention to with the enhanced data laws coming in. Trust is vital in your relationship with customers, so be wary of acting in a way that could damage this – regardless if it is within the boundaries of GDPR.

By following these starting points, you can stand your company in good stead once GDPR comes into play. Preparation, when it comes to technology, people and culture, can give you the edge when retaining customer trust and making sure you keep on the good side of these updated data protection laws. However, as mentioned within the people section, dealing with GDPR can’t be treated as a ticked box.

This is something that will be consistently under review and scrutiny, especially with the Internet of Things and breaches regularly appearing in the news agenda. Keep an eye on the reform as it takes final shape and on the terms and conditions of the networks you are collecting data on, and make sure that you treat data with care and a respect for privacy.

By educating your staff, updating your processes and installing a culture of transparency throughout your business, the day GDPR hits will feel like another day at the office.

Tim Barker, CEO of DataSift

Image source: Shutterstock/Maksim Kabakou