Countdown to GDPR ( Are you ready?)
In the past six months it has become clear to Cameron Consultants that many of our clients are struggling with the new General Data Protection Legislation and what is required of them to comply.
As a result of this we have implemented a process which will allow companies to become compliant and our consultants are now available to assist them in adding GDPR policies into their IMS systems.
On 25th May 2018, the legislation – designed to protect EU citizens’ data – will become law. Its intent is to ensure that organisations are including “privacy by design” in their security strategies and make them more accountable to their customers.
The introduction of GDPR is set to change all of this and bring data protection to the top of businesses’ priority lists. So how can businesses ensure they are compliant and what steps do they need to take?
1 Understand the GDPR framework
The first step is to understand the legislation in place, as well as the implications of not meeting the required standards, by doing a compliance audit against the GDPR legal framework.
Part of this compliance audit, no matter the size of the company is contracting a consultant to explain the regulations and apply them to the business. Each organisation is unique therefore it is important that the challenges associated with each company be discussed and agreed with Senior Management.
2 Create a Data Register
Once businesses have a clearer idea of their readiness to meet the regulatory requirements, they need to keep a record of the process. This is done through the keeping of a Data Register
Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its Data Register.
Without any proof that the company has even started the process, the DPA could enforce a fine between 2% and 4% of a company’s turnover, depending on the sensitivity of the data being breached. The nature of the data, could make up the DPA’s mind to move to fine the company much quicker, as well.
3 Classify your data
This step is all about understanding what data businesses need to protect and how that is being done. Businesses must firstly find any Personal Identifiable Information (that can directly or indirectly identify somebody It’s important to identify where it is stored, who has access to it, who it is being shared with etc.
They can then determine which data is more vital to protect, based on its classification. This also means knowing who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.
4 Start with your top priority
Once the data has been identified, it’s important to evaluate the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. When looking at the most private data or applications, businesses should always ask if they really need that information and why. Companies should complete a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, evaluating data from origination to destruction points.
Companies should evaluate their data protection strategies and how exactly they are protecting the data .Data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct manner.
5 Assess and document additional risks and processes
Aside from the most sensitive data, the next stage is to assess and document other risks, with the goal of finding out where the company might be vulnerable during other processes.
These actions show the DPA that the business is taking compliance and data protection seriously.
Step six – Continuous Improvement
The last step is all about revising the outcome of the previous steps and amending and updating where necessary. Once this is complete, businesses must determine their next priorities and repeat the process from step four.
Companies that fail to show they have the right measures in place – or at least making efforts to – will face fines and undoubtedly a big hit to their reputation.