Securing business data

The ultimate recipe for GDPR compliance...

by Chris Leppard, head of advisory, CNS Group | 30 May 2018
This article was updated on 30/05/18.

GDPR is and has been the hot topic of this year, it seems you can't open your email inbox, surf the internet or even have a conversation without the mention of GDPR. And with all this information flying around, it feels like every angle of GDPR has been covered.

Joanna Earle, on behalf of Egress, says: "GDPR represents one of the biggest reforms to data protection and privacy laws we have ever seen. Given these reforms require every business in Europe to look at how it handles personal or sensitive data and where necessary invest in new systems and processes to ensure compliance, the impact on our company has been considerable."

Nicola Unsworth, formerly of The Moorhouse Group and now Marketing Manager at Inspire Sport indicates that GDPR covers all manner of businesses no matter the perceived privacy of both ends of the spectrum. So if you collect any personal data in running your sports club then the GDPR will apply to you.

Dan Vanrenen, Managing Director at Taskeater, says: "The main aim of the GDPR was to protect the privacy of the individual, and many of the changes enforcing data confidentiality, data security and affirmative opt-in consent for marketing purposes do work to that effect. Individuals have a right to understanding how and why their data has been collected and processed. Steps to ensure your emails are GDPR compliant

"What the GDPR has done is forced a shift in sales and marketing to focus on providing value, rather than just selling a product. Inbound marketing, content marketing, search-based marketing and sales, all focus around selling by educating and informing, providing value in exchange for data and the opportunity to sell. The GDPR has enforced that shift."

However, it isn't just Europe that will be effected by GDPR. Roger Smith, experienced cybercrime expert and CEO at R & I ICT Consulting, says: "In Australia, little notice has been taken of the General Data Protection Regulations (GDPR) because it is perceived as an EU requirement, but compliance to those regulations can and will impact SME's all over the world. Like the Patriots Act and the Australian Privacy Act, the European Union’s GDPR is the latest effort by Governments to protect their citizens from the digital world. Likewise, there are difference in the USA for GDPR.

"The impact for Australia has so far been underestimated. SME's are treating it like the Y2K issues associated with 1999. Just hype and another way for the large ICT companies to make money by selling shiny new products If you collect any information concerning a European citizen, then the regulation applies to that information."

Anne Wardell from Law and Compliance Firm, Compliance Quarter adds: "While the GDPR is a European regulation it applies to an Australian organisation that controls or processes data (and, indeed, any organisation in the world that controls or processes data), where one of three conditions set out in Article 3 are met:

  • it has a physical establishment in the EU;
  • it offers goods or services to people in the EU; or
  • it monitors the behaviour of people in the EU."

Is there a recipe?

The question is, are we actually any closer to truly  understanding how we can practically implement GDPR? Many companies have started looking at the implications. As they’re finding out, it is a complicated piece of legislation, with a multitude of options that may or may not apply to them.

So is there a succinct shopping list of 'must do's' or a recipe that outlines the exact ingredients to bake up full GDPR compliance?

Have your cake...

Actually, the answer to this question is 'Yes'. The key to achieving GDPR compliance is a structured, formal approach. If your company has implemented ISO 27001 or similar, then it should be possible to include GDPR as part of their wider compliance activities. If an organisation not considered a framework such as ISO 27001, then GDPR may be a good reason to look at implementing such a scheme for wider information assurance reasons.

Make sure you have the right ingredients

It's crucial that you approach GDPR in the right manner and that means having all the right ingredients and elements in place.The trap not to fall in to is to consider GDPR to be solely a legislative exercise and therefore assume, the effort to implement the changes should be run by the legal department. GDPR requires a top-down approach with board level recognition and sponsorship. A project team should be formed that represents the whole of a company and all its major departments. GDPR is wide ranging and it is essential all areas of your business understand their responsibilities. Education and information are the key to success.Board level executives must clearly understand their responsibilities and staff must be made aware of the potential changes to their working practices. GDPR may, in many cases, require a change in attitude or company culture and this may prove to be the hardest thing to achieve.

"GDPR to all businesses means a way to ensure that a business has systems and procedures in place to handle their client data." advises Hazel Theocharous of LearnGrowTransform while also suggesting that  "On a personal level I tell business owners they would want to know that their personal data is secured, likewise their clients expect that when they divulge their data it will be kept secure."

Check the temperature

Once you have your committee, a review of existing policy and procedures relating to data protection and how you handle data breaches should be undertaken. If not recently completed, a risk assessment may be required to identify those areas of the business that will be impacted by GDPR and to identify the personal information that you hold.Where the risk is deemed to be high, then a privacy impact assessment, often referred to as Data Protection Impact Assessment, will need to be completed and suitable steps taken to protect the data.As is often the way with assessments of this type, what information a business thinks they hold and where it is stored, as opposed to what is actually held, are often very different things.

It also worth noting that the supervisory body, in the UK this is the Information Commissioners Office (ICO), will be legally entitled to see the personal data that you hold, so it is important that you ensure you have accurate records of all personal data.A fundamental step in complying with GDPR: understand what data you hold and what you must protect.There are parallels with this approach that will be familiar to anyone who has completed a full PCI DSS assessment. There will be a lot of upfront work in the first year, leading up to the initial assessment, but the following years should require much less effort as processes are embedded and become part of standard business-as-usual procedures.

Let them eat cake...

On the whole, the individual’s rights to request information from a company are broadly similar to the existing Data Protection Act, but there are enhancements.Included are changes to data portability; you must now provide subject data in electronic format, rather than in the form of a letter and changes to the time to comply with a request, which has been reduced from the current 40 days to one month and no charges can be levied.Just the need to comply with the data portability requirements may need a separate project, for instance, you must consider how the information could be provided to the requester in a secure fashion.If businesses store information on children, then GDPR introduces additional controls and restrictions on the storage of such data. It is essential that a company identifies this information and fully understands its responsibilities.If you are a public authority, or process significant amounts of personal data, then the organisation will need to appoint a data protection officer.
The nature of GDPR and the potential implications of not complying with it means this will become an important and senior role within many organisations. However, given the expected demand for such personnel, recruiting a suitable candidate may not be a simple task.

Do not forget the icing!

But don't forget, other areas, such as breach notifications and the potential fines that can be faced, have been widely reported and should not be underestimated either.There is a lot to take in and further reading from sources such as the Information Commissioner’s Office and the EU Article 29 Data Protection Working Party are highly recommended.

James Ewen is the Marketing Manager at Tamoco. Their App Consent Toolkit, as James explains, "is a toolkit that developers and app publishers add to their app. It helps them to comply with GDPR in regards to obtaining consent, the right to be forgotten, and audit. The toolkit records every change in a secure audit so that developers can prove they are compliant with the new GDPR legislation.

"A lot of developers are exposed to being in breach of GDPR as it stands. This toolkit puts them in control and ensures that they can comply with a comprehensive toolkit."

Aleena Brown, Virtual Assistant and Owner of the Blog VA, says: "Prepping for GDPR as a blogger or online entrepreneur doesn’t need to be a total headache. I have been working with clients to ensure their websites are fully compliant, including creating detailed and clear privacy policies, enabling the refusal of non-essential cookies, and much more.

Even with traditional marketing, you need to be aware of GDPR advises Sonny Davies of JustWin Marketing, a leaflet delivery service.

"We have been working on our mailing lists, too; making sure sign up forms are GDPR compliant, and asking existing subscribers to re opt-in.

"The GDPR is absolutely a positive step for online businesseanns, and bloggers and influencers. Re-opting in your mailing list is an excellent opportunity to clean your list, and ensure that your subscribers are totally engaged with you. I’ve seen a vast increase in email open rate and subscriber retention since re opting in clients lists.

Not only this, but those who are seen to be GDPR compliant moving forwards will be seen as far more trustworthy than those who have not fully embr aced the regulations. Trust factor will increase not only with audience, but with other brands, companies, and businesses too.

As someone who works primarily with bloggers, influencers, and online entrepreneurs, I foresee that brands will be less likely to work with those who are not fully compliant in the very near future."