As the deadline for GDPR compliance approaches, businesses everywhere will be scrambling to find out what they need to do to avoid the crippling fines they risk facing due to inadequate data protection and security. There are lots of tips and guides out there, but these can sometimes be as confusing and lengthy as the regulations themselves. The most important thing to know is that there is no need for panic. Putting a solid plan in place puts you in a good position, and whereas we previously discussed the 12 steps to GDPR compliance, we can simplify it even further. Here are the first five things you need to do to get you in line with new data protection standards if you are starting your compliance process from scratch.
Understand the GDPR
Your business will need to look at the GDPR legislation and break it down so that all team members can understand what it is, what impact it will have on the organisation, and what complying with each element involves.
Your Data Protection Officer should work with the board to outline the key elements of the legislation, and put a plan in place to adequately meet the standards it sets out in areas including:
- Personally identifiable data
- The rights of individuals
- Data protection
- Data processing
- Data erasure and portability
- Data breach response plans
In short, your business needs to understand what changes GDPR will bring in, and how the organisation can meet the standards required.
Understand what data your business holds
In order to implement a robust data protection strategy, you first need to know what data the organisation holds, and this will require running a data audit and data mapping. This will enable to the organisation to see what data it has, who owns it, what it is for, where it is stored, how it is processed, and how it moves through the organisation’s network and systems.
Identifying every type of data you hold, and who has access to it at each stage, will enable you to highlight any weaknesses, shortcomings or gaps in the data chain that could lead to non-compliance via a data breach or an inability to access, change, transfer or erase personally identifiable information in the event of a data request.
Once you know what data your organisation hold, where it is stored, and who has access to it, you can start to protect it, and the first step towards doing this is to encrypt everything. That means not just the data itself, but every device that has access to it, the organisation’s network and systems.
Transforming personally identifiable information into unintelligible code means that even if it is accessed or lost, it will be of no use to hackers or other nefarious sorts who want to use it for illicit purposes.
Under the umbrella term of encryption, you can also choose anonymisation and pseudonymisation to render sensitive data as non-identifiable code, with the pseudo identifiers stored elsewhere. This method of data protection is mentioned many times in the GDPR legislation as an effective way to protect data, so if your organisation can prove that it has taken steps to make all data inaccessible and usable to anybody outside the business, it stands in good stead.
Check your network protection and back-ups
Even if your data is encrypted, you still don’t want it to be accessed by anybody outside the organisation, or to see it lost or leaked, so you need to ensure you have adequate network protection in place. An IT security audit should highlight any weaknesses you need to fix, and your IT team or an IT consulting service with expertise and a certification in GDPR compliance, should be able to recommend the necessary upgrades required.
As your staff are both the first line of defence against cyber security threats, and the weak link into your organisation’s network and systems, you should also foster a cyber security culture that encourages secure access and use of data and devices.
They should know how to identify suspicious files and actions, and have clear instructions regarding what they need to do if they suspect something is amiss, but they should also be provided with the means to ensure accountability, and that only authorised personnel are able to access specific files, systems, devices and networks.
It’s always better to be safe than sorry, and to make it as difficult as possible for unauthorised persons to access your business network and systems, and introducing two-factor authentication for every team member is one way to increase data security.
The majority of businesses still only require a username and password to access business-critical systems, but by adding an extra layer of security such as tokens or codes specific to each person, you can ensure that only authorised team members can access the network. By putting proper security settings in place, you can also ensure that each team member can only access the files, systems and hardware relevant to their needs.
GDPR also requires that every organisation needs to have the necessary back-up and disaster recovery strategies in place to retrieve and continue to protect data, should it face a disruption to business continuity.
Whether your business faces a cyber attack or any other event that leads to a tech meltdown, it needs to be able to prove that it can still adequately provide secure access to an individual’s data, and this means having the ability to retrieve and share the most up to date version of that data possible.
Regular testing of your back-up system will show you where improvements are needed, and how well it aligns with GDPR requirements.
You should also extend your encryption process to the back-up.
Get help from the experts
Even with all the assurances that GDPR compliance is doable, your IT team and even your Data Protection Officer may need help with putting the right processes in place, and it can be a very good idea to get help from an IT consulting service.
They can advise you on what you need to do to be compliant, providing the training and education your business needs regarding GDPR requirements, data mapping, security audits, back-up and data recovery, data protection and impact assessments.
As certified GDPR consultants, Optimity can help your organisation understand what needs to be done to meet compliance standards, and help you put the processes you need in place to avoid falling foul of the regulators, and to keep you ahead of the competition when it comes to accountability.
Discover the steps that will put you on the road towards compliance and how we can help get you there by downloading our GDPR-readiness checklist.