GDPR comes into effect one year from today – 25 May 2018. Breachful spoke to Aoife Flynn, Head of Marketing at data security software company Ground Labs, who recently opened their EMEA HQ in Dublin, about how companies should prepare.
By now, all companies should know that GDPR is concerned with protecting personal data belonging to EU citizens and puts a framework in place for businesses when handling, storing, processing and transferring personal data. So no more beating about the bush: How should companies prepare?
When preparing for the legislation, an organisation must first understand where their customer and employee personal data is stored – and who has access to it. Accountability is one of the key principles within GDPR.
Carrying out an inventory/audit of all personal data you hold and examining it under the following headings as provided by the data protection commissioner enables organisations to demonstrate ways in which they comply with the accountability principle. What are you holding? Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
Accountability is one of the key principles within GDPR.
What are some of the key areas within the legislation around data protection that companies are likely to struggle with?
Let’s consider ‘Article 15 – Right of access by the data subject’. Under the GDPR, the owner of the data has the right to obtain record of their personal information, including where it’s being stored and for what purpose. A copy of the record should be provided to the individual within 30 days of the request, in electronic format and free of charge.
This part of the legislation may provide significant challenges to businesses when dealing with a large amount of subject access requests (SAR) at one time. Organisations should review their existing procedures for managing these request, identify any gaps and update their processes. Organisations with a detailed inventory of all the data they store and a process for accessing it will be less impacted by large volumes of SAR.
Another area receiving a lot of attention is ‘Article 17 – Right to be forgotten’. The right to be forgotten places an obligation on organisations to delete or destroy data when it’s no longer required or at the request of the data subject when there’s no longer any justification for continued processing.
An effective solution for complying with this element of the legislation is building in retention rules when carrying out the initial data review. Retention rules will vary across industry. Once the retention period has been expired steps should be taken to delete, destroy or anonymise the data so that it can no longer be linked back to the individual. Of course, specific elements of GDPR will be more relevant to some organisations than others – it’s important and useful to identify and map out those areas which will have the greatest impact on your business model.
Ground Labs’ ‘6 steps to GDPR compliancy’
We’ve put together a practical framework which organisations can work off as a starting point:
- Discover: Carry out an information audit of all the personal data you hold. Involve all departments in your organisation, ensuring each department has accountability on the data they hold and why. Consider the following questions in your audit: What are you holding? Where are you holding it? Why are you holding it? How long will you retain it? How secure is it? Do you share it with third parties and on what basis?
- Document: Once the audit is complete, document the location of all personal data held within the organisation. This will be beneficial if faced with a subject access request (SAR). Under GDPR an organisation will have 30 days to complete a SAR (previously it was 40 days).
- Define: Define why you are collecting and using personal data, and make sure you have a legal basis before you process it. Categorise your data by sensitivity, criticality and confidentiality. Ensure you implement retention schedules in line with your business activities and any legal requirements in regards to retention of information. (This relates to the consent element of GDPR.)
- Assess: Assess your organisation’s policies and procedures in relation to your data. Investigate how you are seeking and recording consent. Ensure you have procedures in place to deal with breach notifications. Under GDPR, a breach must be reported within 72 hours. Failure to do so can result in fines of up to €10 million or 2% of global turnover…
- Deliver: Update your processes in line with the regulation. Where necessary, increase/upgrade your security. Deliver training to all staff within the organisation. Communicate the changes under GDPR and ensure all departments are aware of the updated policies and procedures in place for handling personal data.
- Monitor: Ensure continuous monitoring of the data flow and access within the organisation. GDPR is not a one-time project; it should become part of the business as usual practice within the organisation.
GDPR is not a one-time project; it should become part of the business as usual practice within the organisation.
There is no single “GDPR in a box” solution. An organisation must first look internally at their data and security processes, identify gaps and then decisions need to be taken on updating the processes with relevant technology to comply with the legislation. And it really is essential that all organisations start preparing for the implementation of GDPR immediately…
About Ground Labs
Ground Labs is a data security software company dedicated to building cardholder and data discovery tools which help organisations prevent sensitive data loss. Ground Labs products are currently used by more than 2,500 organisations across 80 countries.
The company recently opened their EMEA Headquarters in Carrickmines, Dublin.
To find out more about Ground Labs products and solutions, visit them here.
For a free Ground Labs GDPR risk assessment, click here. This assessment will provide a snapshot of all the personal data being held within your organisation, and help you to identify and understand the potential GDPR risks to your organisation.