Countdown to GDPR: Seven steps to compliance

A staggering 25 per cent of businesses are purportedly still not aware of the EU GDPR (General Data Protection Regulation) according to Brodies.  A frightening figure. Even more worrying when 28 per cent of respondents to the same survey confess they are unlikely to – or don’t know whether they will – be compliant by May 25, 2018.

However, as with political polls, just how accurate are surveys of business readiness? The number of unprepared businesses may even be higher. In our experience, it is common during major transformation projects to discover that what a business reported it knew about its estate, processes or governance is at variance with the reality. Recognising the value of revisiting and rechecking everything we think we know is critical.

Preparing for GDPR is no different. 

The GDPR will apply to all organisations collecting and processing personal data on EU citizens. The sheer volume and scale of data breaches hitting the headlines, not to mention those that haven’t, should be a wakeup call for businesses to get their data in order. Yet despite these breaches and the looming deadline, preparation for the GDPR is still patchy. 

Organisations must act fast to put measures in place that demonstrate compliance, to avoid potentially eye watering fines. Should a breach occur, the regulators will want to know what measures you had in place (or not) to avoid it in the first place. 

With this in mind, here are seven steps to start your compliance journey today. 

Set up a GDPR task force

Do not assume someone is already spearheading this initiative. The IT, marketing and legal teams in your organisation are most likely to know about the GDPR and all should be involved. However, the impact is so wide-ranging that any team needs board level sponsorship and support from the outset. 

The focus must be on assembling a cross discipline team to manage every aspect of the activity. Some organisations use external consultants to guide the team and accelerate progress.

Don't leave it too late to find a data protection officer

EU guidelines encourage the voluntary appointment of a DPO by all organisations handling data. Not all organisations are required to appoint a DPO, but the authorities will still expect you to document the exercise of assessing that need. A DPO is obligatory for public bodies and any organisation that processes sensitive data as a core activity or does so on a large scale. Any systematic monitoring of data subjects also triggers the need to have a DPO. 

If you need a DPO, act quickly. Concerns are growing that there will be a shortage of suitable candidates. Recent projections anticipate a requirement for 28,000 DPOs across Europe alone. A practical alternative is to outsource the DPO function to a company that offers DPO as a service, such as Blackberry or Aphaia.

Create a register of sensitive data

Common sense dictates that you should know where all your data is. If you do not know, you will not pass a data audit.  In the GDPR context, there are three key questions to ask:

1.       What sensitive/personal data do we have?
2.       Where do we hold that data? 
3.       How is the data accessed?

A basic spreadsheet is the quickest way to set up a data register. But even using a sophisticated catalogue solution, the difficulty is to accurately identify everywhere sensitive data resides. For this, we recommend tools from vendors such as Delphix and Attivio. 

Implement effective data management

Most organisations already take steps to secure their production environments but non production environments are often less secure.  According to a survey by Delphix, 80 per cent of all data is stored and used in non production environments. With over three quarters of companies admitting to using production data during development and testing, the risks associated with not securing data in non production environments are considerable.

Data management techniques, including automatic masking, can lift this 80 per cent of data beyond the scope of the GDPR; it will also take that data out of scope for other regulations. 

This makes it easier to demonstrate compliance around sensitive data; helps to streamline the testing process; enhance the quality of testing; and accelerate the entire development to production cycle. 

There is no ‘silver bullet’ tool, but vendors such as Delphix offer solutions for managing test data environments.

Implement real-time monitoring and reporting of breaches

The GDPR stipulates that after a data breach, an organisation must investigate the incident and inform the supervisory authority within 72 hours of becoming aware of the incident.  To comply, we recommend implementing real-time monitoring processes.

Most databases incorporate access-audit capabilities. These can be useful, but only in the host technology. In any case, Delphix finds that 72 per cent of DevOps leaders claim to have unaudited access to production data, making this audit less relevant.

Using tools such as Splunk, you can pull together a view of data access activity across an entire data estate and network. Some organisations have set up an internal Security Operations Centre (SOC) to deliver exactly this capability – and monitor and flag potential breaches of data in minutes. However, the highly specialised skillsets required to do this has led a growing number of organisations to buy in on site or even off site SOCs as a service from one of a small number of providers running these services.

Review policies and control

To achieve GDPR compliance, each organisation has to implement policies and procedures to:

- ensure respect of individuals’ rights;
- obtain consent to collect data;
- provide privacy notice details;
- be able to respond to subject access requests.

Many organisations already have policies and controls sanctioning collection of sensitive data. However, even those with mature policies can fall foul of the more stringent requirements of the GDPR. All organisations can therefore benefit from reviewing their approach to data approbation. 

Policy and process review is particularly effective when undertaken by, or together with, external consultants. This is not because of any mistrust in in-house expertise, but more to avoid the innocent myopia of familiarity.

Establish correct governance

Under GDPR, Data Privacy Impact Assessments (DPIAs) will become mandatory. The GDPR underlines the importance of internal data governance with an expectation of data protection by design. Do not underestimate the effort required to compile DPIAs, or to implement effective governance for process design. This is especially true when some reports suggest that only half of transactional data, and less than a third of unstructured data, is currently subject to rigorous governance. 

The secret to success is to consider this as an opportunity to realise the value locked inside your data. Effective data governance is the foundation for the most effective and collaborative solution design. Establishing a reliable and pro actively maintained metadata repository improves the overall quality of all data, not just sensitive data. By assessing each data element for its purpose, lifecycle and associated risk, effective design can eliminate unnecessary processing. Management benefits from more informed decision-making that boosts competitive advantage and improves the customer experience.

Conclusion

Following these steps now not only reduces the risk of a data breach, but can protect your organisation from incurring potentially enormous fines and considerable reputational damage. 

Finally, it would be a mistake to approach these steps in a linear fashion. You can make progress in each of these areas simultaneously. In fact, with the countdown to GDPR enforcement in full swing, that would definitely be the best approach. 

Christopher Glynn, Senior Consultant, ECS
Image source: Shutterstock/Wright Studio

You can find the rest of our GDPR coverage on this link.