GDPR training sessions may not yet have started happening in their droves across the UK, but they should, because the May 2018 deadline feels closer than ever as the details of the complex legislation begin to sink in.
Training facilitators stand at the front of conference rooms packed with IT bods, compliance managers, data protection officers, even QCs, and attempt to address the unending stream of questions that surround this complicated directive that includes no less than 99 articles and 172 recitals or commentaries.
A bit of a contradiction really, given the overarching objective of the General Data Protection Regulation is to make everyone clearer about their data protection obligations.
Teams are being scrambled in larger businesses to assess the implications and draw up action plans to keep them compliant - and they’re right to cram as much prep in as they can because it’s a mammoth task, even with a dedicated team managing the change.
The leap is infinitely more difficult for SMEs. In many smaller companies, Data Protection Officers will find they’ve inherited the GDPR problem, and the enormous responsibility of keeping the business on the right side of the law.
It’s reasonable to assume many of them won’t know where to start and even if they do, there’s no way they can be expected to know, understand and implement everything that needs to happen, without expert help. We have always offered an IT consulting service that speaks plainly about what a business needs to do, and with GDPR, we are no different.
GDPR has three core elements that look at:
- The rights of the individual – the data subject
- Consent to use data – the process around obtaining and maintaining consent
- Legitimate interest to use the data – understanding and assessing legitimacy
It’s only when you get into the details that you realise just how far the legislation reaches, and it’s not just a red flag for companies who use data to fuel their marketing machines either. GDPR asks businesses to rethink how they manage and control things such as information security, accessibility and encryption too.
For example, right now, if an employee of a medical practice left a laptop full of personal patient details on a train and the information wasn’t encrypted, that would be considered a data breach. Seems logical enough.
If, however, the same laptop was left on the train, not encrypted, but a back-up of the data existed, that wouldn’t be considered a breach under GDPR. Not so logical, right?
This is just one of hundreds of examples we could highlight that will raise questions with Data Protection Officers. However, not understanding or agreeing with the logic won’t be an excuse for not complying.
How can pebble.it help?
One of the first things businesses need to do as soon as possible, is an impact assessment. This should be a deep dive that asks probing questions about the data they currently hold, such as:
- Why they have it
- Where it’s held
- If it’s necessary
- How it’s used
- How accurate it is
- Whether they have permission to keep it on file
- Who else has access to it
- How it’s protected
And most importantly, how it measures up to the new guiding compliance principles of legality, transparency, fairness and purpose limitation.
Where can pebble.it offer practical help?
We can help businesses quantify just how much of the business’s data contains personal or sensitive information, as well as expert advice and hands-on IT support in London or across the UK to manage it.
We look at three key areas:
- Helping teams understand business obligations
- The information security chain and accountability
- Awareness and training
- How to work with best practice principles
- Building audit and governance controls
- Assigning roles and responsibilities
- Creating GDPR-compliant processes
- Managing network security
- Securing physical storage
- Ensuring secure filing
- Managing information back-up
- Assessing and improving data storage
- Ensuring appropriate separation of data
- Intrusion protection (IPS)
- Penetration testing
- Appropriate use of encryption
- Safe destruction of information and purging
- Secure file transfer
- Advice around cloud-based services
- Advice on service provider contracts
- Understanding legitimacy
- Acceptable use of data
- How to assess data qualification
- Understanding data controller and data processor responsibilities
- Legitimate use and marketing communication
As GCHQ-certified GDPR practitioners, we can help businesses in any industry - particularly SMEs, that are legally obliged to comply at the same level, by the same time, as global giants, but with substantially more modest resources and budgets – assess what they have, and outline the steps to take in order to be compliant with legislation.
We can also work as data processors, working in close tandem with and under the organisation’s data controller, to make that compliance process simpler.
Parts of the GDPR will have more of an impact on some businesses than others, so we can help organisations work out how much work they have ahead of them and create a roadmap that streamlines their approach to data and ensures they’re GDPR compliant by deadline day: 25 May 2018.
Discover how you can take the first steps towards compliance with legislation and how certified GDPR experts pebble.it can help you get there by downloading our free GDPR-readiness checklist: