Much has been written about GDPR over the past 6 months – with articles ranging from helpful insights, blatant scaremongering – to complete falsehoods. One thing we can say now - with real certainly - is that GDPR is very complex, and no organisation will be 100 per cent GDPR compliant - ever.
In fact, the general consensus is that GDPR is not a destination – but a continuous journey of constantly reviewing data, removing low value data, looking at new data, following procedures, and maintaining trust with customers by prioritising their privacy. A better way for organisations to approach GDPR is to show that in the event of a regulatory investigation, they have taken reasonable steps to demonstrate that they take privacy seriously – and ultimately comply with GDPR.
The good news is that by elevating data privacy to the forefront, GDPR presents a major opportunity for organisations to develop greater levels of customer trust – which is very good for business. There are also potential cost savings too as GDPR means discarding superfluous data and unnecessary duplication. These compliance requirements may drive business process re-engineering initiatives and reduce compliance cost by minimising the amount of information being collected or used. This could also result in more straightforward processes for staff.
In preparing for GDPR, it’s important to appreciate that each organisation has unique data risks to be addressed, so they must understand how these can be mitigated – in a secure and compliant way. For organisations that want to be GDPR ready, here are some key steps that will help generate successful outcomes.
Create a culture of accountability and governance
From board level down – GDPR means organisations have to take data protection seriously. Key stakeholders must understand the implications of the GDPR – so the required resources can be allocated to deliver this significant business change. This means that for organisations with over 250 employees, a staff member – potentially with a small reporting team, will need to be made GDPR accountable and they will also have to possess a significant understanding of both the business and complexities of the data regulations. Also, if it’s not already been completed; data protection should be incorporated into the corporate risk management and internal control framework.
Gain enterprise-wide awareness
The next task involves establishing which areas of the business fall within the scope of GDPR, by identifying, assessing and mitigating privacy risks with data processing activities.
For larger organisations, territories and jurisdictions must be looked at too – as well as standards and management systems that may be affected or could positively contribute to GDPR compliance.
Another task is to establish from the IT team if there are any imminent projects that involve personal data - as these will be candidates for privacy by design. This is critical as, privacy by design in a service or product, is taken into account, not only at the point of delivery, but also from a product’s inception.
Catalogue data across the enterprise
Organisations hold huge volumes of data in all sorts of weird and wonderful places, so it must be identified which types are held, where it comes from and the lawful basis for processing it. There are special categories of data that may invite stricter processing rules, such as getting explicit consent. Once all data has been sought out – it must be clearly documented with when, how, and why it was obtained; what is going to be done with it and how long its will be kept.
Audit data flow across the enterprise
Organisations must understand how personal data follows within their business too – as well as where it comes from and where it is sent. This will help highlight risks in data processing activities and where controls are required. From this, it can be established if further effort is required to help identify, assess and mitigate or minimise privacy risks with data processing activities. The three primary conditions for an assessment identified in the GDPR are:
- Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale
Create or improve key policies and processes
According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data. Each business will also need a privacy notice, a data protection policy and have to update or review contracts with employees and suppliers - to ensure they are compliant.
The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and with no jargon, and consent must be given affirmatively. Transparency is paramount: organisations must be open and honest with the people who provide their data about what is being collected, why it’s wanted, how it will be used and how it will be cared for - and that withdrawal of their consent is possible at any time.
To addresses citizen’s rights, requires more comprehensive outlines on how their data should be handled. Key changes include the ‘right of access’, which have expanded considerably and are required to be free of charge. Additionally, the ‘right to be forgotten’ has also been extended, with individuals now able to be ‘forgotten’ when they no longer want to have a relationship with that brand. This means that organisations should think about what processes are needed to accomplish this.
Look for third party expertise
One caveat here - organisations should be wary of instant ‘experts’ claiming that they alone have the magic bullet to address GDPR requirements. They should only consider GDPR partners that have hands-on experience, great relationships with other experts in the field, access to specialist tools – and possesses a strong track record in regulated sectors. Also, a potential partner should already be GDPR compliant themselves.
Also, ensure any partner complies with ISO 27001 to deliver the appropriate technical controls, policies, procedures and promote a culture of awareness of information security. Any potential partner should also follow ITIL best practices and help use it to implement and adapt processes for GDPR compliance.
Sean Hanford, Senior Sales Engineer and Consultant at Bluesource
Image Credit: Wright Studio / Shutterstock