So, a bit of housekeeping first. The GDPR is the brand-new regulation that everyone has been talking about, but what actually is it? You’ve probably received numerous emails from organizations asking you for permission to continue storing your personal data, and that’s what’s it’s essentially all about.
Companies interacting with people in the European Union will all have to pay attention to what they’re doing with their personal data and ensure they are storing and processing it in responsible ways.
So, are you ready to comply? According to a GDRP report by IT Governance, only 33% of senior management have been briefed about the new regulation. Considering it’s so close to becoming mandatory, this seems like quite a scary statistic all things considered. With that being said, let’s explore a few requirements of the mandate to find out if you’re really ready.
What Data Does GDPR Affect?
First things first, it doesn’t matter if you’re in the European Union yourself. You could be on an island in the middle of nowhere, but if you store or in any way handle the data of a citizen of the European Union, you’re bound by the rules of the GDPR. Although, having said that, if you are in the middle of nowhere it may be harder for those pesky auditors to find you.
Now, onto the data itself. This is fairly easy and if you’re unsure about whether the data you have falls under GDPR, it probably does. GDPR encompasses all forms of personal data, from basic identity information (name, address etc.), digital footprint (IP address, cookie data etc.) to more specific information like health, political leanings, interests and behaviour.
The Main Requirements of GDPR
The GDPR is not a very interesting read, I’ll be honest. But, thankfully, there are many summaries online (including one from the ICO) that mean you don’t have to go through it yourself. Below, I’ve pulled out three important requirements from the many that you’ll be expected to adhere to:
Respond to Breaches Quickly
Organizations have the responsibility to notify supervisory authorities within 72 hours of discovering a breach. The only exception to this is if you believe that the breach isn’t likely to infringe on the rights and freedoms of those involved. So, you need to make sure that you’re able to identify a breach in progress, or one that’s taken place, identify who’s involved, and the reasons that it occurred.
The Right to Be Forgotten
Citizens of the European Union have the right to request that their data be erased if there is no further reason for the data to be used. There are numerous stipulations to this right and you’re not automatically obligated to erase the data so it’s probably best you look this one up in further detail.
This is an important one. You have to make sure you do as much as you can to be accountable for the data you hold, as you are responsible if anything happens to it. You need to know exactly what kind of data you hold, where that data resides, who has access to it and whenever anything changes. You need to ensure that you are operating with a policy of least privilege, where users only have permissions to the data that they need to and you keep access as limited as possible to your most sensitive file and folders.
So, What Do You Need to Do?
Now you’ve hopefully got a decent understanding of the aims and requirements of GDPR, it’s time to jump into the steps you can take to ensure you’re ready when the 25th rolls around.
Educate Those Around You
As suggested before, ensure that at least one person (preferably more) has fully read and understood the GDPR and can communicate this to others in the organization. There needs to be plans for regular training for all members of staff on the importance of the GDPR, what actions they need to take and how to handle sensitive data.
Enforce any and all policies that will help you ensure you are acting responsibly with sensitive data. In many cases you will need to deploy a third-party solution to audit, monitor, track and alert on changes to your sensitive data, as native auditing simply won’t be detailed enough to satisfy compliance audits. There are numerous GDPR compliance solutions on the market that will help you satisfy the data protection side of the regulations. They are worth looking into.
Adopt Privacy by Design
Privacy by design involves building an organization from the ground up where data security and privacy is ingrained in every aspect of the business. Any new projects that you undertake or any further developments your organization goes through should involve a data protection impact assessment to assess how those changes will affect the security and integrity of data. This way you will be able to predict potential GDPR related problems and address them before they get you in hot water.
Are You Ready?
So, after going through this article, do you feel ready for the 25th May? If not, don’t worry about it too much as many organizations are in the same boat. If you need help addressing some of the chapters and articles of the GDPR, come and speak to us.