It’s a natural reaction to sit back and take a deep breath after working towards a major deadline – and many businesses may have done just this following the May 2018 beginning of GDPR enforcement. However, the deadline was months ago – many are now waking up to the fact that GDPR was not just for May, but is a long-term, ongoing commitment.
This realisation can be daunting. For most businesses preparing for GDPR has been a time-consuming, costly and resource-heavy process. With its 99 articles, GDPR is lengthy and confusing and many companies lacked knowledge and understanding, were short of time, skills and budget and their understanding of their data inventory was weak. No wonder many commentators predicted that around 60 per cent of companies would not be ready.
Given the effort involved in this initial push, trying to maintain the same pace to keep up with compliance could leave organisations severely drained. It is vital, therefore, to find a way to make compliance sustainable by ensuring it is as easy and as resource-light as possible. One way of doing this is to identify manual tasks and replace them with an automated approach.
A good way to start is to bring together all documents covering data, such as records of processing activities and legal aspects of GDPR and processes. This will form the base from which the business can implement controls and processes before embedding the in Governance, Risk Management and Compliance Management (GRC), IT security and organisational processes. This will take time, but businesses should see it as an investment and a sound foundation that will pave the way for easy and efficient implementation of all other aspects of continued compliance.
This will be the beginning of implementing best practices – the key to ongoing compliance without spending so much time and money that it becomes a burden to the business. Some businesses may be required by the regulations to appoint a Data Protection Officer (DPO) responsible for working through and understanding GDPR and its impact on the organisation. Those who decide not to take this step should have their reasons clearly documented ready as it’s something the regulators may want to question them about.
A DPO will review materials from the national regulatory body and the European Data Protection Board will ensure they have a solid grasp on what is expected and how it can be applied to the business. They will make sure all the right consents are in place, close any gaps and certify data processing agreements. From here they can help build the Article 30 record of processing activities – a task that can’t be ignored for continued compliance.
Now the deadline is passed, it would be easy to become complacent about educating employees on the importance of compliance. Regular training updates, whether through online courses or formal in-house classes are essential to ensure employees recognise the need for data protection and the penalties for non-compliance. It’s important to avoid a box-ticking mentality, but rather ensure all employees see the wider picture and how a breach could impact the company.
One of the most effective ways to ensure continued compliance is to adopt policies designed to deliver complete privacy from the outset and embedding them into the organisation. This concept – “data protection by design and by default” is a specific mandate of the GDRP. Once this has been achieved it will be possible to determine which processes can be automated. Automation can greatly simplify data processes and increase reliability with the right automation solution capable of interacting with all other enterprise systems and applications to access and manipulate data quickly.
Automation will be key to maintaining compliance over time as it will allow technology to take the lead in areas such as data discovery and the classification and identification of personal data. Automating these processes will not only save huge amounts of time and remove the element of human error, but will also make it possible to implement standard workflows for processes so that when errors and privacy issues occur they can be automatically flagged, managed and rectified.
Burden? Or opportunity?
Businesses have just 72-hours once they have become aware of a data breach in which to gather all relevant information and report the incident to the regulator. Automation can accelerate this reporting process by quickly locating impacted data and affected groups of people and help avoid subsequent fines.
As a business’s data portfolio continues to grow and become more complex, it is difficult to conceive of GDPR compliance being possible without an automated approach to compliance. Automation will also prove more cost-effective and can make production of the reports and audit logs needed to prove compliance routine.
For continued compliance, a business must also ensure that their processes are robust enough to be followed in the long term. It may come as a surprise to discover that more data breaches have been caused by papers being left lying around or data in spreadsheets getting lost than by cyber attacks. According to the UK Independent Commissioner’s Office (ICO), in the health sector alone, the loss or theft of paperwork was the second most common reason for data breaches in the last year, behind data being faced or posted to the incorrect recipient. The risk of these incidences of human error in terms of the GDPR are particularly high with potential costly repercussions, highlighting how pressing it is for a business to adopt sustainable processes.
As many companies will have experienced, GDPR compliance can be costly. However, failure to comply brings the possibility of accruing penalties, losing customers and business from negligent data handling, damaging corporate reputation and market value and risking legal action if data is used for criminal purposes. Ensuring you are maintaining the correct standards of compliance will remove all these risks and even has the potential to better enable your company to thrive in the information economy.
For example, seeing GDPR as an opportunity rather than a burden could open up new possibilities. The information gathered for compliance makes it possible to map out all consents, as well as where data is being used without consent, which could identify new understanding of your data assets. GDPR also has the potential to reduce data management costs as it facilitates the identification of redundant data which can then be eliminated. Activities from compliance could even be applied to other parts of a business and support its digital journey.
GDPR is still in its infancy and some even debate that certain principles of GDPR are a matter of opinion rather than quantifiable. But one of the biggest mistakes a business can make is to see GDPR as a one-off campaign rather an ongoing reality. There is at least one certainty – the need for compliance is not going to just disappear.
Rob Perry, vice president of product marketing at ASG Technologies
Image Credit: StartupStockPhotos / Pixabay