Breaking down the GDPR into a three-step path to compliance

It’s now less than a year until the EU will begin enforcing the General Data Protection Regulation (GDPR). There hasn’t been such an overhaul of data protection legislation in nearly 20 years and the regulation has been designed to do just that; overhaul a complex system of individual data regulations across the EU to create a single, rigorous protection standard. 

The implications of the GDPR will be extensive, yet with just a year until enforcement, a recent Experian survey found that 48 per cent of businesses are still only in the early stages of preparing for its arrival. With time running out, these businesses need to step up their efforts in order to ensure compliance before the deadline arrives, but many are still unsure about how to break down the complex legislation into easily-actionable activities and processes. 

A three-step path to compliance

The solution lies in adopting a more consistent approach to dealing with the many different areas encompassed by the GDPR, focusing efforts on three main business components; People, Processes and Technology:

  • People: The people within an organisation are the ones closest to the data and understand it best. Therefore, the first action should always be to work with the relevant stakeholders to properly identify and classify data, assess how it is being used and better understand the most appropriate course to take with it.
  • Processes: Once data protected under the GDPR has been identified, clear processes must be put in place for employees to follow. This will ensure compliance is achieved and maintained.
  • Technology: The right technology will help businesses meet the requirements of GDPR both now and in the future. The GDPR also specifically states that data security should become built in to technology projects and initiatives.

Taking a consistent “People, Processes, Technology” approach to the GDPR can help businesses understand exactly what needs to be done and how to go about doing it. Below is an example of how this might look when applied to a key aspect of the GDPR: 

New rights for data owners

The GDPR includes a broad collection of rights that EU citizens residing in the EU will be entitled to, as a way to protect their personal data. This is leading to a pendulum swing back to where the EU citizen is the data owner until they give consent for it to be used, not vice-versa. Companies need to adapt and learn how to operate in this new environment.

People: Perhaps the biggest challenge here is around changing attitudes towards data consent and ownership within organisations, which some will find harder than others. Businesses accustomed to reinventing themselves tend to accept change far more easily than those with an entrenched way of doing things. Education will play a key role in shifting internal behaviour towards personal data over time.

Changes to data usage consent are also a key element. The GDPR requires companies to specifically state how personal data is being used and give citizens a choice on whether they are happy for their data to be used in that way or not. As a result, the people within the business need to change how they approach consent. Consent tools must become far more user-friendly and easy to locate, not secretive and hidden like many of them are today.

Processes: The GDPR expects businesses to put processes in place that allow EU citizens to request their personal data, have it amended or even deleted. These requests must be handled “without undue delay”, which means businesses will need to know exactly where the data resides and how it is stored. 

There needs to be stringent governance of this process to ensure the right data is being given to the right person. In most instances, this will take the form of a series of authorisation stages, overseen by the business’s Data Protection Officer (DPO).

Under the GDPR, appointing a DPO is mandatory for public authorities, as well as organisations that monitor data subjects on a large scale, or process sensitive personal data on a large scale. The DPO will be the focal point of all data protection and compliance activity, and is accountable to both the board and customers.

Technology: To ensure compliance is met, a technology backstop is needed to support people and enforce processes. A comprehensive, enterprise-wide data discovery solution should be used to locate any data potentially subject to GDPR. This must include data residing on laptops, servers, databases, files shares, or in the cloud. 

Once found, data classification by context, content and user will allow businesses to track and control the movement of GDPR relevant data. It’s extremely important that all data discovery and control activity be ongoing, in order to ensure that any changes to the data over time are identified and accounted for in compliance activities. 

Expanding the approach across GDPR challenges

The GDPR is a welcome, possibly overdue, addition to EU law that will greatly improve personal data protection and privacy for all EU citizens. Whilst achieving compliance may seem like an impossible task for many businesses at the outset, the key lies in breaking the legislation’s core components down into manageable pieces and applying a consistent approach to each area. To be most effective, this process must start at the top with the board and involve as many employees as possible.  With the right plan in place, compliance can still be effectively achieved, even with just a year to go.

Thomas Fischer, global security advocate, Digital Guardian
Image source: Shutterstock/Wright Studio

Read the rest of our GDPR content here.