Views, News & more
In last week’s blog, in between suggesting new acronyms for the incoming General Data Protection Regulation (GDPR) legislation and keeping you readers awake, we looked at the main ways in which the EU’s new favourite four-letter word could change the data processing landscape.
This week, like any good boy scout might, we are reminding you that it always pays to be prepared.
The new rules - which mandate data collectors and processors to commit to protecting users data, with the promise of many nasty punishments if they fail to do so - come into effect through the EU, and even in the UK, from 25 May 2018.
That means there isn’t long until companies and individuals have to be ready, so we have compiled our top tips to make sure you are well prepared for the GDPR D-Day.
A good place to start is to identify someone in your organisation who understands what the GDPR is going to change. What this effect will be is different for every business or operation, so it should be somebody who already knows it inside and out.
If at a company that collects, processes or stores large amounts of data, you may have recently hired a data protection officer (DPO), an enterprise security leader mandated by the GDPR who is responsible for overseeing a data protection strategy and its implementation.
These DPOs are responsible not only for regularly monitoring of how data is handled, but also training staff and auditing company practices to make sure everyone is up to speed.
Whether down to your DPO or not, your team also needs to be equipped with the skills to understand and comply with the regulatory requirements. Any gaps in knowledge or capacity for understanding GDPR need to be dealt with quickly, so getting staff involved in test runs or even cybersecurity fire drills could be useful ways of getting everybody on the same page.
Don’t panic - we don’t think you should have a top-down, 6-month, management-lead review of everything your firm does. The GDPR builds on many of the concepts and principles that make up current EU legislation or the UK’s Data Protection Act, so there’s no need to reinvent the wheel.
Instead, checking existing policies against what the GDPR will mandate you to do is a good step, starting with internal processes and extending that externally when appropriate.
The EU suggests using a Data Protection Impact Assessment as a framework: A full rundown of how your company uses personal information is central to this, and at minimum you must be able to account for what data you hold, where it came from and who you share with.
Also important to review are any privacy policies in place, contracts that pertain to anything to do with personal data, and those of all your suppliers or service providers.
According to the latest Ponemon Institute research, the average harm of a data breach to a company is $4 million. According to the EU, it’s 2 per cent of your annual worldwide revenue, or €10 million, whichever is higher.
Putting prevention first is key, as a result, as the GDPR will remind you: the legislation requires businesses to prove that they are effectively aligning current best practice to the risks ahead. So, risk assessments need to be updated and measures taken to counteract them updated fittingly.
The law will also stipulate that any data breaches must be reported to local authorities within 72 hours of becoming aware of the incident. Many have recommended adopting real-time monitoring processes to keep up with this requirement, whether through access-audit capabilities in databases or specialist tools like Splunk, which shows data access activity across an entire data estate and network.
Another option is the use of a Security Operations Centre to monitor and flag potential data breaches. These require a specialist skill-set to run, however, and increasingly are provided by other partners or even as off-site services.
There are plenty of other factors to bear in mind - some hardware should be assessed, governance codes need reviewing, continuous testing can help - but these are the core factors that will ensure your company is ready for GDPR. We would recommend a big cup of tea to cope, too.