It is often the case that a solution to a problem or challenge can be more easily found when you bring fresh eyes to it, and the upcoming GDPR legislation is one of those business cases where this is true. You may be aware that you need to upgrade your data protection policies to meet compliance, but faced with the overwhelming volume of information contained in the legislation, and the numerous facets involved, it can be very difficult to know just where to start.
On top of that, if you are an SME, you may not have the resources to invest in a full-time Data Controller, or to put your IT team on to the case of a long-term security fix and upgrade when there are day-to-day tech issues to manage. Even if you could, GDPR is much more than just a problem for the IT department anyway.
Seeking the help of a certified GDPR consultancy is therefore a decision that makes sense. An unbiased, professional team of IT experts with EU GDPR Foundation & Practitioner accreditation, can assess where your organisation currently stands in relation to compliance, and advise on the practical steps you need to take to meet new regulatory standards on data protection.
The Data Audit
You can’t possibly know if you are adequately protecting data if you don’t know exactly what constitutes personal information, what data your organisation has, where it is stored, how it moves through the organisation, and who has access to it.
A GDPR consultancy can assist with:
- Personally Identifiable Information (PII) Discovery - to find and prioritise the data that needs to be protected
- Your data audit - to create a data map that shows you how data flows through the organisation (and where it can leak or be lost)
- Gap analysis - to identify where data breaches could occur
- A data protection impact assessment - to outline the risks involved in processing that data
Once you know what data you have, where it is, and how it is processed, you can start to work towards protecting it in line with regulations before the May 2018 deadline.
The Data Protection Process
Securing your data from loss, theft, leaks or unauthorised access can mean having to implement IT upgrades to your current system, and a GDPR consultant will be able to sit down with your Data Controller and IT team to assess the viability of the tech solutions and software you have by running a security audit.
As well as advising on the separation, compartmentalisation and minimisation of data to reduce overall risk factors, they should be able to advise on:
- Server storage, online storage and cloud security – Ensuring all data held and in-flight is secure through encryption
- Back-up and restoring of data - as part of not just GDPR compliance but also business continuity planning, and making it accessible to authorised staff only, in the event of data requests
- Intrusion Protection – Ensuring your systems are not vulnerable to ransomware or other cyberattacks, and that firewalls are sufficient
- Penetration Testing
- Psuedonymisation or tokenisation
- Correct use of Access Control Lists (ACLs)
- Implementing privacy by design - to ensure all data protection requirements are automatically implemented into the planning of data processing as well as the processing itself, through minimisation, purpose limitation and cyber security measures
It is not sufficient to simply put data protection solutions in place – your organisation must also be able to prove that there is a clear and effective data governance system in place to protect the data privacy of clients, potential customers and any consumers whose data they hold. This will involve:
- Developing an understanding of what GDPR is, and what the ramifications of not adhering to it will be
- Documenting your Privacy Governance Model with clear roles, responsibilities and reporting lines so that privacy compliance is understood across the organisation (and not just by the guys in IT)
- Developing and rolling out training for all personnel
As well as advising on the IT security requirements you need, your accredited GDPR consultant should also help to outline the ways in which you can make sure all members of your team understand the regulations and their role in being compliant, including:
- The security chain
- Best practices
- Proving accountability
- Security policies
Overall, as well as helping you put a plan of action in place to ensure your IT security is up to scratch, your GDPR experts should also show you how this really is an investment that future-proofs your business.
The up-front costs of hiring a GDPR consultancy will be nothing compared to the potential fines and penalties you will face if you don’t put a compliance plan in place, but a compliance solution will also help your business to stand out from the crowd with an enhanced reputation for prioritising the data rights of your customers and clients, and for cyber security.
It will also mean that from a business point of view, you will be working with more accurate data, meaning you can gain better insights, and achieve better results.
At pebble.it we can provide the hands-on, practical advice you need to turn the complex legislation of the GDPR into plain English, and show you what you need to do to be compliant.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: