In just 365 days from today, May 25th, one of the biggest changes in regulation of data protection and privacy will take effect – the General Data Protection Regulation (GDPR). The idea behind the new legislation is that companies should adopt a “security by design” approach when developing their security strategies and becoming more answerable to their customers.
Protecting customer data should move to the top of businesses’ priority lists as a result, but how can businesses make this a reality and become compliant at the same time? What steps do they need to take?
Step one – Understand the GDPR legal framework
- Research and understand the legislation by doing a compliance audit against the GDPR legal framework
- Hire a Data Protection Officer – preferably someone with a legal and technical background
Step two – Create a Data Register
- Keep a Data Register that records the process of you becoming compliant
- Each country has a Data Protection Association (DPA) responsible for enforcing GDPR. The DPA will judge whether you are compliant when deciding any potential penalties for being breached
- Your Data Register will show you are striving to be compliant and avoid a fine of up to four per cent of your turnover, should a breach occur
Step three – Classify your data
- You must understand what data you need to protect and how that is being done
- You must find where Personal Identifiable Information (PII) – information that can directly or indirectly identify somebody – of EU citizens is being stored, who has access to it, who it is being shared with etc
- You can then determine which data is more vital to protect, based on its classification. This also means knowing who in your team is responsible for controlling and processing the data, and making sure all the correct contracts are in place
Step four – Start with your top priority
- Once the data has been identified, it’s important you start evaluating it, including how it’s being produced and protected. With any data or application, the priority should be to protect users’ privacy
- You should complete a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, evaluating data life cycles from origination to destruction points
- It’s vital to remember when doing this, of the rights of EU citizens, including data portability and the “right to be forgotten”
- From here, you should evaluate your data protection strategies – how exactly you are protecting the data (for example, with encryption, tokenisation or psuedonymisation)
- Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct way
Step five – Assess and document additional risks and processes
- Aside from the most sensitive data, the next stage is to assess and document your other risks, with the goal of finding out where you might be vulnerable during other processes
- As this is being done, it is vital you keep a roadmap document to show the DPA how and when you are going to address any outstanding risks
- It’s these actions that show the DPA that you are taking compliance and data protection seriously
Step six – Revise and repeat
- The last step is all about looking over the outcome of the previous steps and remediating any potential fall out, adjusting and updating where necessary. Once this is complete, you must determine your next priorities and repeat the process from step four
We’d love to hear your views, anonymously in our survey, on how far you’ve progressed with GDPR compliance.