GDPR (Post 2): Ensuring Compliance
Post 1 in our series of blog articles designed to raise awareness of GDPR, the EU’s new Global Data Protection Regulation coming into effect on the 25th May next year, presented a short overview of the new directive, what it means for your organisation and the risk of severe penalties for non-compliance.
In Post 2, we provide best-practice advice to guide you on your GDPR compliance journey.
We hope that you find the advice useful and helpful in ensuring compliance with the new directive.
Three main issues are covered:
- Understanding the implications of GDPR for your organisation
- The four key steps to ‘getting started’
- Finding solutions
Understanding the Implications
GDPR represents the most significant change in European data protection regulation for two decades. The bar covering individual privacy rights, security and compliance has been raised significantly. It is critical, therefore, that your organisation fully understands the implications of GDPR and the key challenges presented.
As summarised in Post 1, GDPR has major implications for organisations in four main areas:
- Enhanced personal privacy rights
- Increased duty for protecting data
- Mandatory breach reporting
- Significant penalties for non-compliance
A useful Infographic from Microsoft (see Figure 1 below) summarises the key challenges presented for your organisation.
GDPR will impose much stricter control over where your organisation stores personal data and how it is used. Effective data governance, transparency, record keeping and reporting will become a legal requirement.
Your organisation will need to develop improved data policies providing control to data subjects and ensuring lawful processing of the data. There will be a requirement to provide privacy training, to audit and update data policies and, for many organisations, to employ a Data Protection Officer.
Figure 1: GDPR – Summary of Key Changes
The following resources should help you better understand your organisation’s responsibilities under GDPR:
Getting Started: The Four Key Steps
There are four key steps to ensuring the GDPR compliance of your organisation as shown in Figure 2 below.
With less than ten months before the new directive is launched, two key questions need to be addressed now:
- Does your organisation have the capacity to complete the four steps by the May 25th deadline?
- Do you have the capacity to manage and maintain continued compliance post-deadline?
Figure 2: GDPR – Getting Started
The first step to GDPR compliance is to undertake a data inventory identifying the personal data held by your organisation and where this currently resides. A wide range of personal data falls in-scope of the new rules including names; email addresses; social media posts; physical, physiological and genetic information; medical information; location; bank details; IP addresses; cookies; cultural identity and more.
It is critical to log what information your organisation currently holds, how this is collected and stored including emails; documents; databases; removable media; metadata; log files; backups and so on.
As well as auditing what personal information is held and where, there are additional questions to address. Why is the information collected? What is it used for and how is it processed? Who has access to the information and how is it shared? How long is it retained?
As discussed in Post 1, GDPR represents a profound change in data protection law in Europe; in particular, a massive shift in the balance of power from organisations collecting and using personal data to the individuals concerned. Individuals will have much greater control over the capture and use of their personal data.
In the new regulatory environment, organisations will be required to implement an effective data management policy governing how personal data is used and accessed.
A Data Governance Plan will be required defining policies, roles and responsibilities covering the management and use of personal data within your organisation to ensure that data handling practices are GDPR compliant. Data governance should cover all stages of the data lifecycle – at rest, in process, in transit, storing, recovery, archiving, retaining, disposal.
Data classification will be critical, implementing a classification scheme throughout your organisation essential for responding to data subject requests. Data should be organised and labelled properly according to type e.g. sensitive, context /use, ownership, custodians, administrators, users and so on.
Recent cyber-attacks have reinforced the need for information security to be a top priority for all organisations. As mentioned above, GDPR will raise the bar further.
Organisations will be required to ensure that appropriate technical and organisational measures are in place to protect personal data from loss, unauthorised access or disclosure.
Stringent security controls will be required to prevent, detect and respond to vulnerabilities and data breaches.
You should currently be evaluating whether your existing data protection measures are GDPR compliant in the following areas – physical data centre protection, network security, storage security, compute security, identity management, access control, encryption, risk mitigation.
What about your breach detection and response procedures in the following areas – monitoring for and detecting system intrusions, system monitoring, breach identification, calculating impact, planned response, disaster recovery, notifying DPA and customers?
Finally, GDPR sets new standards in transparency, accountability and record-keeping.
Organisations will need to be more transparent about how they handle personal data including clear documentation defining processes and personal data use.
Records will need to be kept on how the data is used; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data and the legal basis of such transfers; organisational and technical security measures and data retention times that apply to various datasets.
As an accredited Microsoft Gold Partner, Bridgeall would be delighted to support your organisation in achieving GDPR compliance.
As shown in Figure 3 below, the Microsoft technologies we use are already GDPR ready. This will significantly reduce the effort required by your organisation in becoming compliant.
Please do not hesitate to contact us for an informal chat about your GDPR compliance requirements.
As always, comment and feedback on this article are very welcome.
Figure 3: Microsoft Solutions to Help You Prepare for GDPR