In accommodating to the new General Data Protection Regulations, an organisation should take a look at their current strategy and stage of preparation to ensure proper data security. It is essential to carry out an overall data audit, identify the most sensitive points in the security strategy, and seek solutions for problematic issues - data must be controlled and correctly managed.
While May 25, 2018 may appear today to be a long way off, in the perspective of the huge upcoming changes which each organization will have to implement, making that deadline may be a considerable challenge. As a result of failure to comply with the new rules, companies can be held responsible for data breaches and punished severely. Fines can reach up to 4 percent of annual income or EUR 20 million, so it is well worth it to start the process of ensuring compliance today. Every action you undertake before the deadline will enhance your security policy and further your efforts to minimize risk, build trust and protect the brand.
Make an exact audit of your data
The first step toward compliance with new rules is a detailed data audit of the current state of collected resources. Familiarize yourself with the proper classification and sensitivity of the data you own. Match this data to appropriate categories and determine when the data was introduced into the system, where it is now held, who has access to this data, and what needs to be done with it in order to comply with the GDPR.
Take into consideration the current technological environment
Check your data sources and consider the whole technological infrastructure of your company. It is quite possible that data you hold in your organization is in various forms, and it may be necessary to transfer records from paper-based to electronic formats. Think about all the software and tools which help you to manage data subjects. You should give special attention to an integrated technological environment to ensure smooth data exchange between many various systems, and implement tools for effective cyber security protection. Moreover, it must be remembered that proper and efficient tools are not the only things required; constant maintenance is also desirable, and in this area your company needs an additional supporting unit. Consequently, collaboration with an experienced and dedicated technological partner is a valuable solution for every organisation.
Establish solid rules of accountability
Implement clear and efficient security policies and procedures that help you react quickly in case of data breaches and give notification within the required time limit. Ensure that your staff are trained to respect the security policy. Within this new framework for accountability, establish a culture of monitoring, reviewing and assessing your data processing procedures. The new regulations may require further tools which support access to and processing of data collection or some modification of already existing systems.
Pay attention to the legal basis in your organization
Focus on the legal basis by which you process data and consider whether it is sufficient. Most companies are convinced that to process subject data, the only one thing they need is consent. First of all, consent is not the only one way to get permission to collect data. Secondly, it may not be the best way to manage data. However, if you rely on consent, you should make sure that your forms, documents and legal conditions concerning data collection are transparent and easily accessible, and that the data subject is informed and consent is freely given.
Be aware of unusual expectations of data subjects regarding their rights
This may not be a common occurrence, but it is possible and you should bear in mind that data subjects may choose to exercise their rights under the GDPR. Be prepared to erase and forget personal data or transfer it from the one location to another, most often to a competing company. Remember that you should relocate or erase all the data concerning the individual. Moreover, personal data needs to be stored in a machine-readable and commonly used format.
Face the challenge with the best
To comply thoroughly with the new regulation, you should collaborate with a trustworthy and experienced security consulting partner whose key activities concern cyber security and who is able to offer advice on the most powerful solutions. A team of external specialists will be able to analyse existing problems and challenges with a great deal of objectivity, and thereby make the most appropriate changes. Moreover, cooperation with specialists will help your organization continuously tighten its IT systems as required by new regulations.
If you have any specific questions on the General Data Protection Regulation or privacy and data protection, please contact Krzysztof Machelski, Head of Security and Automation at intive. Our team of security experts has helped many of our customers improve their cyber security and we will be more than happy to provide you with tailored insights and updates too.