GDPR – four letters that put fear into the hearts of organisations, as the deadline loomed last Spring. It’s been quite a journey for many – and varied, at that.
Even though the EU gave companies two years to ensure GDPR compliance, many waited until the last minute to act. For those there was a scramble to comply and an unspoken expectation that the ICO would immediately use its new powers. So, when that didn’t happen – and GDPR fine headlines were missing from the media, lots of us wondered if this was actually serious. However, over the past few months, the ICO has shown that it absolutely is.
In June, BA was fined £183 million, followed by Marriot the next day for £99 million — two very significant penalties which amount to 1.5% and 3% respectively of the companies overall revenues. GDPR has revealed its backbone.
So, fast forward 18 months from the launch of GDPR– and these four letters still have some negative connotations. Organisations are nervous. They’re being reactive, rather than proactive and there is still a sense of dread around the legislation. But it’s an unnecessary fear.
Ahead of the game
Getting on the front foot of regulation is entirely doable. It does however require a mindset which many are unfamiliar with. New technology has made data incredibly important for organisations today and gathering as much as possible is common practice.
Organisations need to evolve with the innovative technology around them, and part of that process is moving on from incumbent data management processes. To start, all companies need to make privacy a top priority. Give data privacy the time and respect it deserves, and regulation will naturally become secondary.
Being GDPR compliant is about the journey, not the destination. It won’t happen overnight, and it must be a company-wide effort. Employee education is essential and privacy should be built into every part of the business across departments, not just in IT or legal.
It’s like the parable of the wise and the foolish builders. If you take the time and effort to adjust practices across the company, you are building your privacy “house” on strong foundations. The amount of data we collect, store and use is only going to increase, anyone that has built their house on sand can expect to face the consequences.
Three steps to success
There are three steps which every organisation should take to get ahead of the regulation game. The first is to map your systems and processes. Too often organisations will go years without fully auditing their own processes. Without complete understanding of the spiders’ web of different systems communicating different data sets, there’s no way to be certain of compliance.
The second is to create a comprehensive data inventory, or record of processing activity. This creates a manageable, navigable database to track your data. The final step, but equally important, is to revise your data privacy policies and procedures. Do they cover all systems and processes? Can they be applied to your whole data inventory? And critically, are they compliant with GDPR?
Part of changing the mindset is expanding the way you view data. For example, how do you handle data that’s in-transit compared to at rest? And how long have you had it for? An organisation using cloud services will need to appreciate the new data privacy challenges this brings, such as if their cloud provider has an auditable data trail. Data retention periods should be part of your policy and adhered to, there is an undeniable problem today with hoarding old data – which can cost organisations hundreds of thousands of pounds.
No asset left unturned
By getting on the front foot of regulation surrounding data, companies can make sure they’re working with policies ahead of the game, rather than chasing them. Comprehensive asset lifecycle management is the key to keeping sensitive data secure and making sure no asset leaving your “house” of privacy still has data on it. Importantly, there needs to be a process for end-of-life assets including secure data sanitisation. This consists of data erasure, verification and a full audit trail presentable to regulators.
This process is essential to article 17 of GDPR, the ‘right to erasure’, an element which many fail to comply with. Here is a perfect illustration of proactive success: be ready to implement article 17 when an individual requests it, rather than being shocked into action when they do. The latter could warrant a fine if it takes too long. Remember the scout motto of “be prepared”, with BA and Marriot examples of acting when it was already too late.
Staying one step ahead of regulation
Consider hiring a Data Protection Officer (DPO) to take on the mission of proactivity for you. This is even a requirement of GDPR for public authorities and organisations with certain processing activities. A successful DPO will act as chief architect to your privacy “house” by coordinating with all staff members including the security and IT operations teams.
Remember the biggest threat to data privacy is human error, which can only be minimised with practical education for all employees – data is everyone’s responsibility. Other proactive action includes updating firewalls, regularly visiting where your data is stored, creating a guest network for third parties and keeping up with the latest cyber threats.
GDPR is not about avoiding an eye-watering fine, it’s about the significance of personal data privacy. Nearing its two-year anniversary GDPR has created some terrifying headlines in the media, but more importantly it has forced organisations to rethink their data management strategy. Be proactive in your approach to maintaining data privacy. Stay one step ahead of regulation and make sure the right people and processes are in place now, before it’s too late.
By Fredrik Forslund VP Enterprise & Cloud Erasure Solutions at Blancco