GDPR is looming & soon enough the 25th of May will be here. Is your business ready for when the new GDPR regulations become law? Haven’t even started? Don’t panic! There is a lot you can do before May 25th. For starters, check out this article, courtesy of Real Business, on the basics and what you need to do to avoid those hefty fines!
To start with: don’t panic. There’s a lot you can get done in four months, but it is going to take some consideration to work out what’s best for your business.
Precisely what you need to do is going to depend on a number of factors – what your organisation does, its size, what data protection policies you already have in place and so on. However, here I’ll run through some pretty general things you need to get cracking on in the run up to May 25th.
(1) What data is where?
I talked about this in more detail in an earlier column here, but before you can make any GDPR preparation decisions you’ll need to have a good understanding of what data your company holds and where it is by conducting an audit. This should be your starting point. Depending on what your data handling and storage procedures are, this can be a small job or a big one – either way, it’s crucial.
(2) Review your current data protection procedures
There’s every chance you’re already meeting a number of the requirements of GDPR preparation and, at this stage, there’s no need to reinvent the wheel.
Take a look at what you are doing now and assess if you are already compliant in the various areas. If you are, you may wish to tighten up some procedures later down the line, but for now focus on those areas where compliance is currently an issue.
(3) Is it sensitive?
Not all data is created equal so once you have completed your audit, it’s worth classifying it so that different measures can be taken for handling credit card details, for example, over order numbers (although if the two appear together, it will need to be treated as sensitive).
While you want to make sure sensitive data is classified as such, overdoing it can be a hindrance to the business and stops people doing their jobs effectively – which should be avoided.
(4) Technology investments
Depending on what you discover throughout the GDPR preparation audit process, you may want to invest in some technology to help carry the burden of achieving and demonstrating compliance. You should look to do this as soon as possible in order to find the best possible vendors for your needs. Technology that may well be required includes:
Secure storage systems – it goes without saying that, particularly if you’re using the cloud, you need to make sure security is watertight. Depending on how much sensitive data you hold (and what it is) you may also want to invest in specialist secure storage and sharing systems to be sure.
Identity and Access Management – data should only be accessed by the people who legitimately need it. IAM tools will not only verify those accessing information are who they say they are, but also allow policy-based controls that mean anyone who doesn’t need access to certain files to conduct their day-to-day job, can’t have it.
Encryption – the ICO has stated that if, in the event of a breach, data has been rendered unintelligible (as it would be through encryption) data subjects do not need to be notified. It is, therefore, highly recommended that you invest in encryption technologies.
(5) Communicate and prepare
Compliance is a team-wide effort and you will need to communicate with employees about the new policies and procedures you have in place. If, for example, an employee inadvertently emails an unencrypted spreadsheet with sensitive data to the wrong person, what should they do? Discussing these scenarios and the steps to take are going to be important for GDPR preparation – particularly in the event of a data breach.
At some point throughout this process you will also need to appoint a Data Protection Officer (DPO). That person can be recruited in especially for the role, or it can be included in a current member of staff’s responsibilities – such as a CIO or IT manager.
When you choose to appoint this person will be up to you, but having them in from the start of the GDPR preparation process can make things run more smoothly.
The overarching advice for GDPR preparation is to take it one step at a time, do your due diligence and – crucially – don’t panic. If you need any advice, please get in touch with our technical team who will be able to advise you & give you advice on some great products that might make GDPR much simpler for your business.