The Proof Is In The Planning

There is so much content now being generated about those four letters – GDPR – that it is very easy to see folks becoming swamped and confused about how to start and where to look. I have seen a few articles recently that have been written by a technology vendor which by implication has a product placement woven into the script. I suppose that is understandable as the desire to help is closely followed by the need to generate more revenue and profit. If not pure product placement then there is a more palatable approach, in at least pointing towards different technology options which may address part of the GDPR challenge.

I have spoken to a lot of our customers about what types of solutions and processes they are looking to put in place, and they are many and varied. I have listened to various preparation plans for the new regulation; plans to use RMS encryption for every email, every email and document, enhanced DLP solutions to use content scanning for personal identifiable information (PII) and as you might expect, multi-level security policies with data classification labels. Certainly RMS everywhere will be quite heavy and will be a challenge on some non-native Redmond derived technologies; and if you include IP addresses as part of the host of PII pieces of data, the DLP content scanners are going to be sweating. Multi-level security policies can also quite quickly become confusing for the users, although we do have a client who, for certain users, have up to 17 classifications they can add to a document to assist in complying with several different regulatory requirements.

The next step you do need to take when trying to clear some of the GDPR fog is to look at making a plan. I recently read an article published by Naked Security (original piece can be found here), who had conducted some research and found a useful set of actions published by Ireland’s Office of the Data Protection Commissioner. The core of the document looks at 12 key activities, which I have added to, as a starting point for your planning to be prepared for the upcoming GDPR:

1. Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. All employees from the top to the bottom of an organisation need to be extensively educated and made aware of the regulation’s importance and the key role they have to play in being authors and processors of the data they use.

2. Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?

3. Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organisation does and how aware customers, staff and service users are. Look at your logistics chain and what actions are they putting in place to match your good work if they are processing some of your data.

4. Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically. Right to be forgotten may conflict with other regulatory information you need to keep such as HR records on past employees. So know what systems hold what data.

5. Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.

6. Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it

7. Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.

8. Process children’s data carefully. Organisations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.

9. Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point and know your procedure for alerting your national authority body within the time lines.

10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them.

11. Hire data protection officers. The important thing is to make sure that someone in the organisation or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.

12. Get educated on the internal organisations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organisations operating in EU member states. Multinational organisations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

Time is now ticking away, with regulation enforcement starting in May 2018. If you’re struggling to start your planning to get GDPR ready, get in touch with us and see how we can help your organisation.