For those businesses that might not have started their compliance journey yet, there are resources that can help. A good place to start, for example, is by visiting the Information Commissioner’s Office (ICO) website and making use of the many briefings and webinars that it has made available. It’s also published an extremely useful paper on the 12 steps towards GDPR compliance that can help guide your own compliance journey.
While this high-level view is necessary for GDPR compliance, it also requires a more in-depth look at business workflows and processes — and this is where the IT department of a business comes into the equation. Those working within the department hold often little-known technical knowledge, and this can prove immensely valuable when ensuring compliance on a company-wide level. Specifically, there are three ways in which IT can make the compliance journey easier.
Understanding the data that you hold
The GDPR states that businesses need to document all the personally identifiable data (PII) that they hold, where it came from and who they are sharing it with. However, for a large number of businesses this is usually easier said than done, mainly due to the sheer amount of data they own.
>See also: 6 steps to GDPR compliance
For example, a business with 100 employees will typically hold over five million different files, and trawling through all of this to search for any PII would be an extremely time-consuming process.
To help make this compulsory step easier, there are several ‘GDPR automated data and discovery’ and ‘GDPR analysis’ tools available on the marketplace. These work by performing a comprehensive scan of your network and identifying any files that contain PII — this could be names, email addresses, IP addresses or something else entirely — before compiling a report that contains all the PII that has been found and the locations of each file in question.
Of course, there is still work to be done by the user, but these tools are a great way of giving businesses a real head-start in the compliance journey. What’s more, once compliance has been achieved, these tools can be run periodically to maintain a compliant environment.
Locating the data
Most businesses should be used to subject access requests as they formed a part of the existing Data Protection Act, but the GDPR states that they now cannot be charged for.
Businesses, therefore, need to prepare themselves to deal with more of these than ever before, whether they come from customers, staff (both ex- and current) or otherwise.
Perhaps the most important thing to remember with data access requests is that they must be handled within the prescribed timescale and deliver the relevant information to the requestor.
The GDPR tools mentioned in the point above can help businesses to locate the desired information — both for subject access requests and right to be forgotten requests. But there are also tools to help manage these requests more effectively.
Businesses need to know they can restore corporate data in the event of a cyber attack, and this is often done through regular system backups (coupled with a robust disaster recovery solution).
However, this often leaves businesses with multiple copies of the same files. If you consider the way in which most businesses perform backups — i.e. using a grandfather, father, son methodology — it is therefore plausible that a single file could exist in 10 or more locations, with even more versions lying potentially undiscovered.
Add to this the fact that businesses often structure their data around their clients and internal departments — and that large copies of data are often kept after system upgrades ‘just in case’, and you start to fully understand just how widespread this problem might be. This is why using these tools to locate data is so vital.
Keeping data secure
GDPR requires all businesses to detect, report and investigate data breaches, which are becoming all too commonplace as time goes on. 2017 alone was full of cyber attack stories involving major organisations, from the NHS to the Houses of Parliament, and this has led businesses to question whether they’re considering their own security seriously enough.
Data lies at the heart of GDPR, and so every possible effort should be made to protect any PII that your business holds. This remains a constant struggle, as IT infrastructures are continuously vulnerable to attack.
The truth of the matter is that there are very few businesses who are truly protected against cyber attacks, and so they must strengthen their defences by looking at their entire IT infrastructure, from the security features of their hardware itself, to ensuring that all confidential corporate data is protected from data breaches.
Perhaps the most efficient way of doing this is to introduce specialist security solutions, such as vulnerability management tools, that can scan your entire IT infrastructure and identify any security vulnerabilities. The IT department can then use this information to make the necessary operating system upgrades and patch fixes to minimise the likelihood of a breach.
With the compliance deadline for GDPR creeping ever closer, there seems to be two contrasting reactions from businesses. While some seem to be overwhelmed by it to the point where they’re not sure how to begin their compliance journey, others choose to gloss over the issue and pretend as though it won’t affect them.
Yes, GDPR compliance will be a challenge for many businesses, and the punishments for not being compliant will be severe. But working alongside the IT department to understand, locate and secure all the data you hold — and most importantly any PII — can make the compliance journey much easier, while reassuring businesses that they are headed in the right direction.
Sourced by Gavin Russell, CEO, Wavex