Securing business data

News Article

The ultimate recipe for GDPR compliance...

by Chris Leppard, head of advisory, CNS Group | 15 Aug 2017
GDPR is and has been the hot topic of this year, it seems you can't open your email inbox, surf the internet or even have a conversation without the mention of GDPR. And with all this information flying around, it feels like every angle of GDPR has been covered.

Is there a recipe?

The question is, are we actually any closer to truly  understanding how we can practically implement GDPR? Many companies have started looking at the implications. As they’re finding out, it is a complicated piece of legislation, with a multitude of options that may or may not apply to them.

So is there a succinct shopping list of 'must do's' or a recipe that outlines the exact ingredients to bake up full GDPR compliance?

Have your cake...

Actually, the answer to this question is 'Yes'. The key to achieving GDPR compliance is a structured, formal approach. If your company has implemented ISO 27001 or similar, then it should be possible to include GDPR as part of their wider compliance activities. If an organisation not considered a framework such as ISO 27001, then GDPR may be a good reason to look at implementing such a scheme for wider information assurance reasons.

Make sure you have the right ingredients

It's crucial that you approach GDPR in the right manner and that means having all the right ingredients and elements in place.The trap not to fall in to is to consider GDPR to be solely a legislative exercise and therefore assume, the effort to implement the changes should be run by the legal department. GDPR requires a top-down approach with board level recognition and sponsorship. A project team should be formed that represents the whole of a company and all its major departments. GDPR is wide ranging and it is essential all areas of your business understand their responsibilities. Education and information are the key to success.Board level executives must clearly understand their responsibilities and staff must be made aware of the potential changes to their working practices. GDPR may, in many cases, require a change in attitude or company culture and this may prove to be the hardest thing to achieve.

Check the temperature

Once you have your committee, a review of existing policy and procedures relating to data protection and how you handle data breaches should be undertaken. If not recently completed, a risk assessment may be required to identify those areas of the business that will be impacted by GDPR and to identify the personal information that you hold.Where the risk is deemed to be high, then a privacy impact assessment, often referred to as Data Protection Impact Assessment, will need to be completed and suitable steps taken to protect the data.As is often the way with assessments of this type, what information a business thinks they hold and where it is stored, as opposed to what is actually held, are often very different things.

It also worth noting that the supervisory body, in the UK this is the Information Commissioners Office (ICO), will be legally entitled to see the personal data that you hold, so it is important that you ensure you have accurate records of all personal data.A fundamental step in complying with GDPR: understand what data you hold and what you must protect.There are parallels with this approach that will be familiar to anyone who has completed a full PCI DSS assessment. There will be a lot of upfront work in the first year, leading up to the initial assessment, but the following years should require much less effort as processes are embedded and become part of standard business-as-usual procedures.

Let them eat cake...

On the whole, the individual’s rights to request information from a company are broadly similar to the existing Data Protection Act, but there are enhancements.Included are changes to data portability; you must now provide subject data in electronic format, rather than in the form of a letter and changes to the time to comply with a request, which has been reduced from the current 40 days to one month and no charges can be levied.Just the need to comply with the data portability requirements may need a separate project, for instance, you must consider how the information could be provided to the requester in a secure fashion.If businesses store information on children, then GDPR introduces additional controls and restrictions on the storage of such data. It is essential that a company identifies this information and fully understands its responsibilities.If you are a public authority, or process significant amounts of personal data, then the organisation will need to appoint a data protection officer.
The nature of GDPR and the potential implications of not complying with it means this will become an important and senior role within many organisations. However, given the expected demand for such personnel, recruiting a suitable candidate may not be a simple task.

Do not forget the icing!

But don't forget, other areas, such as breach notifications and the potential fines that can be faced, have been widely reported and should not be underestimated either.There is a lot to take in and further reading from sources such as the Information Commissioner’s Office and the EU Article 29 Data Protection Working Party are highly recommended.

 

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere