General Data Protection Regulation (GDPR), will overhaul how businesses process and handle data. It will be directly applicable from May 2018 (4 months’ time). The regulation entered into force, however, on 4 May 2016, after its publication in the Official Journal of the European Union. Europe’s data protection rules will endure their most prevalent alterations in two decades.
Since they were produced in the 90s, the amount of digital information we create, capture, and store has immeasurably evolved. In essence, the old rules are no longer fit for purpose.
The regulation has generated a vast number of GDPR related activities helping businesses prepare for the changes GDPR will bring. Sometimes we read long and scary lists of ‘things’ related to GDPR Is this required? ………….. in some instances, yes, absolutely! But let’s look at an alternative approach to GDPR – many of the requirements or actions will indeed be able to be conducted and implemented in-house. Other elements will require expertise in particular areas, e.g. legal standpoint and cyber security strategy and practices.
Gap Analysis & Communication
- Assess the company’s data protection ‘to dos’ between the current status of data protection compliance and the obligations arising from GDPR.
- Communication with all employees, so that they understand the onus on them regarding GDPR
- Specifically speaking to Marketing and IT team
- Appoint a DPO (Data Protection Officer), if applicable.
Data Discovery – understand your processing
- Conduct a full Data Audit
- Compile a Data Register
- Compile process register as per Article 30 requirements
- Data Classification
- Assess the risks to all private Data, review policies and procedures.
- Review accessibility to all data
Procedures and Critical Data
- Apply security measures to data, containing core assets and then extend these measures to back-ups and other repositories.
- Information Security – Assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls and malware protection.
Revise and Repeat
- Repeat these steps and adjust findings where necessary.
- For CSO’s GDPR provides a good opportunity to upgrade the organisations security capabilities to meet the regulations requirement and improve overall security with regard to data confidentiality and privacy.
- Also provides them with the opportunity to become ISO27001 compliant – specification framework for an information security management system.
If you are concerned about GDPR – please contact us to see how can we help.