With the EU DPR expected to be implemented in 2018, many organisations may struggle to meet the deadline for compliance if they do not start preparing soon.
The European Union’s data protection regulation is intended to strengthen the security around individuals’ private data (financial, health, etc) and also cross-border data rules for organisations with footprints in more than one country.
In a series of three articles, we will examine some of the key activities that organisations should be working on now to ensure that they meet the deadline. As with any major legislative changes, planning ahead is key and whilst 2018 may seem like some way off in the future, it’s never too soon to start making the necessary provisions so that the right combination of technology, processes and people are in place to ensure compliance.
Here we outline the essential groundwork that should be considered over the next three months.
The Data Protection Challenges
Preparation is particularly important, given recently published findings of a Guidance Software survey, revealing that the majority of organisations (nearly 60 per cent) do not currently have well established policies to address data privacy concerns. This is despite the fact that almost half of respondents (46 per cent) say protecting sensitive and private data is a top priority.
With this in mind, by the middle of 2016, organisations should be focused on laying the foundations: assessing current policies, determining budgets and timelines so that there is adequate time to make up any shortfalls in their programme.
Quarterly milestones to be reached by June 2016:
- Identify the projects needed for compliance:
The first stage of a successful data protection programme would be to identify key projects needed to strengthen the organisation’s data protection and data privacy processes, and how these will impact the organisation. The identified projects are necessary to ensure that the organisation complies with the EU DPR by 2018, and will need to incorporate a number of different streams of work that need to be completed in order for the organisation to be compliant with the data protection and data privacy programme.
For example, an important first step would be to conduct a thorough data audit throughout the corporate network, and remove any sensitive or critical information that is found in inappropriate places. This project should start with a sweep of the network to search for, locate and secure sensitive data across the organisation, and then be followed with the identification of sensitive data in unauthorised locations or which can be accessed by unauthorised personnel.
- Consider the legal ramifications:
Organisations need to clearly understand the specific legal ramifications of the General Data Protection Regulation, as well as identifying all data that they manage and store that falls directly under these data protection rules.
If a data breach occurs and it is found that the organisation did not follow the rules as set out by the EU DPR, there are a number of legal ramifications such as hefty fines, payable – depending on the scale of the breach.
In certain circumstances, dedicated data controllers as well as a Data Protection Officer needs to be appointed, as part of the organisation’s accountability programme.
- Appoint stakeholders:
It would be crucial to identify and appoint the stakeholders within the business who are directly responsible for the different data repositories. These staff must also be trained appropriately and organisations should highlight their responsibilities when it comes to how data should be stored, managed and sent. This is important in avoiding the unregulated spread of sensitive data across the enterprise.
Organisations should also ensure that there are policies in place based on access rights across different job roles and different departments, to ensure no unauthorised staff can access sensitive data.
It would be critical to identify the various technologies which can help organisations to classify and identify critical data assets. For example, the procurement of data risk management tools is an important aspect and specialists needs to be approached if necessary.
With these four areas identified, organisations will need to consider the budget required for completion of the necessary projects, as well as for additional technologies and personnel. Starting by compiling realistic timelines and internal deadlines for the completion of the programme would give organisations important milestones to work against to ensure compliance by the set deadline.
It should also be noted that UK organisations need to have a contingency plan if the UK potentially leaves the EU and should consider the ramifications if the organisation has a footprint in any of the other 27 EU states.
Over the next few months, preparations should start for achieving these milestones by June 2016, which will place organisations in a better position to reach the anticipated 2018 deadline.
Nick Pollard, General Manager UK, Northern Europe, South Africa, Guidance Software
Image source: Shutterstock/Artem Samokhvalov