On 25th May 2018 the new regulation GDPR will be enforced in all European Union Member States; the clock is ticking.
But where to start? What to do first within an organisation?
Here are three best practices tips for organisations to consider as they work to become compliant with the GDPR.
First of all, it is very likely that any organisation with customers and partners in the European Union will be affected by the GDPR.
A global chain of compliance will be mandated as any organisations located outside the EU, offering goods and services to customers within the EU, have to comply whether they own the personal data they process or not.
Breaking with the principles of this regulation might become painful. The fines are up to 2% of annual worldwide turnover in previous financial year or €10 million, whichever is the greater for minor breaches and, 4% of annual worldwide turnover in the previous financial year or €20 Million for major breaches.
>See also: Five things you need to know about the proposed EU General Data Protection Regulation
It is no longer a valid option for any organisation to weigh up costs of compliance again risks of prosecution.
Get your grips with your Databerg
To process personal data in a GDPR-compliant way, an organisation needs to precisely know, where this data is stored.
Unfortunately the content of an average of 52% of all data stored by organizations is dark to the organisation that holds it, according to a Veritas study.
If you don’t know what data you hold and where it is, you simply can’t comply.
Business with 250 employees or more must keep auditable records of processing of personal data, but without a reliable record of process activities it’s hard for any organisation to prove compliance, which is a key requirement of the GDPR, under the new principle of accountability.
Compliance teams also need to know if the personal data goes outside the European Economic Area so they can put the right data transfer agreements in place to ensure that the transfers are lawful.
They need to be able to assess whether it’s still needed, and delete it if it’s not to comply with the principle of storage limitation.
>See also: If you’re still not prepared, don’t panic: here’s a GDPR 101
To achieve this employees should be interviewed to understand how they obtain, use and disclose personal data.
Do this in combination with a review of the way your systems process personal data, and reconcile the two.
This is the basis of your auditable processing record, and a map that will guide you when you review your data management policies and processes to bring them into line with the GDPR.
Use technical tools to gain insight into the dark data that you already hold, both content and location.
Most businesses have a blind spot when it comes to dark data, but it’s costly to store and after 2018 failure to manage it could attract a fine
Delete what you don’t need, and formulate policies and procedures that will prevent the Databerg re-accumulating.
Establish processes to find data quickly
Each individual within the European Union will get new and improved rights under GDPR.
For example each individual has the right to have copy of all the personal data that is held on them, the right to demand erasure or correction of the data, to have its processing restricted, or have their personal data ported to another organisation.
These requests must be fulfilled without undue delay, and within one month of the request.
It is possible to have extension of up to two further months in the case of complex or numerous requests.
>See also: Data protection and Brexit: Where UK businesses will stand with GDPR
These timelines may look generous, but the volume of personal data that many organisations may hold on individuals and the time it takes to consider the legitimacy of the request, retrieve the personal data, read it, and consider what redactions need to be made, and to gain any compliance approvals means that the timeline can be challenging to meet.
Failure to meet the timeline attracts the “major breach” fine.
If your business gets a request from a data subject, can you find their data to action it? Can you do it quickly?
To be able to be a fast responder make sure that you do not hold personal data for longer than is necessary and have the tools and processes to locate it quickly in both your structured and unstructured electronic systems.
Establish an easy way to pass the personal data you retrieve to the compliance team for review.
Create procedures to ensure the right personal data is disclosed/deleted/corrected/ported/restricted, and create auditable logs so that you can prove that you did what you said you did.
Don`t forget the basics and do an analysis of your data security
The integrity and confidentiality principle in the GDPR requires that personal data be protected from loss, damage and destruction.
It is therefore essential to make sure that the data is backed up, so you can recover it.
This may seem to be the easiest part in the overall GDPR conversation, but this task should not be underestimated.
>See also: Will GDPR still be relevant for data security if Britain leaves the EU?
If companies do their databerg analysis right, they are likely to find that their data is fragmented across different storage areas.
They will find personal data stored on virtualised systems, cloud infrastructure and other systems and locations from mobile devices to shared cloud storage services.
These are the best practices that will help to get a backup and resilience strategy in place.
Sourced by Tamzin Evershed, director of legal at Veritas
