On 25 May 2018 the new GDPR regulations will be enforced in all European Union Member States; the clock is ticking. But where to start? What to do first within an organisation? Here are three best practices tips for organisations to consider as they work to become compliant with the GDPR.
First of all, it is very likely that any organisation with customers and partners in the European Union will be affected by the GDPR. A global chain of compliance will be mandated as any organisations located outside the EU, offering goods and services to customers within the EU, have to comply whether they own the personal data they process or not.
Breaking with the principles of this regulation might become painful. The fines are up to two per cent of annual worldwide turnover in the previous financial year or 10 million Euros, whichever is the greater for minor breaches and, four per cent of annual worldwide turnover in the previous financial year or 20 million Euros for major breaches. It is no longer a valid option for any organization to weigh up costs of compliance again risks of prosecution.
1. Get your grips with your Databerg
To process personal data in a GDPR-compliant way, an organisation needs to precisely know where this data is stored. Unfortunately the content of an average of 52 per cent of all data stored by organisations is dark to the organisation that holds it, according to a Veritas study. If you don’t know what data you hold and where it is, you simply can’t comply.
Business with 250 employees or more must keep auditable records of processing of personal data, but without a reliable record of process activities it’s hard for any organisation to prove compliance, which is a key requirement of the GDPR, under the new principle of Accountability. Compliance teams also need to know if the personal data goes outside the European Economic Area so they can put the right data transfer agreements in place to ensure that the transfers are lawful. And they need to be able to assess whether it’s still needed, and delete it if it’s not to comply with the principle of Storage Limitation.
To achieve this:
- Interview employees to understand how they obtain, use and disclose personal data. Do this in combination with a review of the way your systems process personal data, and reconcile the two. This is the basis of your auditable processing record, and a map that will guide you when you review your data management policies and processes to bring them into line with the GDPR.
- Use technical tools to gain insight into the dark data that you already hold, both content and location and re-connect the data that’s stored with the business that owns it. Most businesses have a blind spot when it comes to dark data, but it’s costly to store and after 2018 failure to manage it could attract a fine.
- Delete what you don’t need, and formulate policies and procedures that will prevent the Databerg re-accumulating.
2. Establish processes to find data quickly
Each individual within the European Union will get new and improved rights under GDPR. For example, each individual has the right to have copy of all the personal data that is held on them, the right to demand erasure or correction of the data, to have its processing restricted, or have their personal data ported to another organisation. These requests must be fulfilled without undue delay, and within one month of the request. It is possible to have extension of up to two further months’ maximum in the case of complex or numerous requests.
These timelines may look generous, but the volume of personal data that many organisations may hold on individuals and the time it takes to consider the legitimacy of the request, retrieve the personal data, read it, and consider what redactions need to be made, and to gain any compliance approvals means that the timeline can be challenging to meet.
Failure to meet the timeline attracts the “major breach” fine. If your business gets a request from a data subject, can you find their data to action it? Can you do it quickly?
To be able to be a fast responder:
- Make sure that you do not hold personal data for longer than is necessary and have the tools and processes to locate it quickly in both your structured and unstructured electronic systems
- Establish an easy way to pass the personal data you retrieve to the compliance team for review
- Create procedures to ensure the right personal data is disclosed/deleted/corrected/ported/restricted
- Create auditable logs so that you can prove that you did what you said you did
3. Don't forget the basics and do an analysis of your data security
The “Integrity and Confidentiality” principle in the GDPR requires that personal data be protected from loss, damage and destruction. It is therefore essential to make sure that the data is backed up, so you can recover it.
This may seem to be the easiest part in the overall GDPR conversation, but this task should not be underestimated. If companies do their Databerg analysis right, they are likely to find that their data is fragmented across different storage areas. They will find personal data stored on virtualised systems, cloud infrastructure and other systems and locations from mobile devices to shared cloud storage services.
There are these best practices that will help to get a backup and resilience strategy in place that will cover these fragmented infrastructures:
- Establish a backup and recovery strategy that integrates physical, virtual and hybrid cloud scenarios under one umbrella to make it easy to manage
- Get insights into all existing cloud services and the data stored there and make sure you educate your employees about the right usage
- Establish a failover concept that will keep not only the access to the cloud services highly available, but also guarantee the resilience of the services themselves.
Tamzin Evershed, Director of Legal at Veritas
Image source: Shutterstock/Wright Studio