24 Apr Preparing for General Data Protection Regulation (GDPR) – part II
Guest blogger Richard Hancock continues his series on GDPR preparation.
In my last GDPR blog, I gave you an overall summary of the 2018 regulation. Now I’m going to delve into some of the finer detail.
Let’s start with the most important GDPR statement you will read today. You need to start preparing for GDPR compliance and you need to start right now!
Your organisation should look at GDPR compliance holistically across your entire business. This isn’t just ‘something for IT’. It will impact every department in your company.
So, firstly, what data do you have and where is it stored? Do you know? That may seem like a silly question, but we’re in an era where we collect more data than ever before, faster than we’ve ever done. Control of this data very quickly becomes cumbersome and unmanageable which leads to not knowing what you have and, sometimes, why you have it. Think about your production servers, your backup servers, your archive servers, cloud based services and storage. Don’t forget, this doesn’t just apply to your customer data but also to that of your suppliers, vendors and employees.
Compile a data inventory
Don’t underestimate this task, it will likely take some time. It’s unlikely that your staff will be able to complete this task alone, so look at automation tools that can find both structured and unstructured data and help catalogue it. Once you have compiled your data inventory, make sure you classify it appropriately and give it a risk profile.
Implement access control to the data
Now you have your database of data you can begin to address one of the core principles of the regulation – access control. You need to be able to demonstrate restricted access, justifiable access and control over that access. We all know our employee’s salary is sensitive information and should only be available to the concerned individual, but would we necessarily apply the same controls to the birthdate of our contact at our favourite supplier, currently available to all in the CRM? Go through your HR CMS and document who has access to what data, why they have it, when it was granted and any review date of that access. You’d be surprised at rights that have built up over time, as you move from role to role within the company, are your new rights replacing your old ones or simply added to.
Again, using people to do this is going to be challenging. Access management technology is readily available to help you accomplish these vital tasks. When you put the costs of such solutions against the salaries of man hours, it very quickly becomes an attractive proposition with additional benefits such as audit trail, various reporting in an instant and scaleability.
Remember, these principles also apply to physical data as well as logical data. So make sure everyone with the key to the cupboard containing personal data is documented, along with why they need access to that cupboard.
Perform a prioritised gap analysis
At this point, you know what you have, where it is and who can get at it. That’s great, but does it align with GDPR? To find out, you need to perform a prioritised gap analysis to see where you need to act and what you still need to do.
In parallel, your compliance team need to be reviewing every policy and procedure within your organisation and addressing any shortcomings and out-of-date items. That process that says all files must be saved to your network drive should probably be changed to files need to be adequately protected (we’ll look at this in more detail in future episodes) and stored in a location where only appropriately authorised people can access.
Nobody knows your organisation like you do. Therefore you are the best person to draw up preparation plans and timelines. It would be prudent to take the 25th May 2018 deadline and work backwards to gauge what needs to happen by when. It is suggested that everything is in place by end of February 2018, although most organisations are aiming for 31st December 2017, to allow a minimum of 3 months for any fine tuning that may be required.
Richard Hancock is a guest contributor and is Data Protection Officer for GMO GlobalSign, a leading Certificate Authority and encryption solution provider.
Read a brief intro how Ubisecure can help your company towards GDPR compliance, or check out the first of our configuration tips. Or contact us now to discuss your GDPR project and how building in consent management can help.