The General Data Protection Regulation (GPDR) is going to affect every organisation that obtains and stores personal data from 25 May 2018. Organisations, in both the public and private sectors, need to take action to meet the requirements of GDPR and avoid the sanctions and fines the Information Commissioner can impose if data is mishandled, incorrectly shared or lost.
So, what should organisations be doing to comply with the new GDPR regulations?
Organisations must have full understanding of how their data is handled, who has access and how is it managed. In many cases, organizations will need to appoint or have someone fulfil the role of a Data Protection Officer (DPO) or Data Manager who is responsible for ensuring the right processes are in place and implemented. If you are a small enterprise, depending on your line of business and the type of data you handle, you may have the option of partnering with other small organisations to ‘share’ a DPO or Data Manager.
All parts of the supply chain need to work together to achieve the same standards and ensure there is a combined and secure approach to handling the data they share. In the case of a breach, wherever it happens in your supply chain, the Information Commissioner will see you as jointly responsible and you will still be liable for a fine. It is therefore imperative you perform thorough due diligence on your current suppliers to ensure they are GDPR compliant, and any new suppliers you bring on before you share any form of customer or client personal data with them.
Every employee with access to personal data needs to be aware of their roles and responsibilities in maintaining GDPR compliance. While you can’t prevent every case of human error, your employees are less likely to make an error if there is a common understanding about best practice Furthermore, organisations should review their policies and processes and only provide access to those employees who really need it.
At the heart of achieving GDPR compliance is providing all your staff with effective awareness training and the simple, practical guidance they need to understand their responsibilities and what the appropriate behaviours are. Training should be seen as enabling good behaviours rather than just a a tick-box exercise. It needs to encourage, engage and motivate through a range of activities including regular online eLearning and interactive events such as lunch and learns and gamification.
Inspired training will help employees go beyond thinking just about meeting the basic compliance needs and equip them to make the right decisions, at the right time in the interests of cyber resilience.
Should a breach occur, showing the Information Commissioner that you are regularly educating employees and they responded quickly in the right manner to rectify the issue could help minimise any resulting sanctions or fines.
The growth of cloud storage means fewer organisations now have in-premises storage. Using the cloud means thinking about the levels of security the cloud provider is using to protect your data.
As with your supply chain, you need to undertake due diligence to understand whether your chosen cloud storage provider has the restricted access that will enable you to comply with GDPR. If the cloud provider’s security protocols are breach-able, you would again share the liability and therefore also be open to sanction from the Information Commissioner.
Despite the pressures of complying with GDPR, the regulation also presents tremendous business advantages. By establishing the right procedures, processes and training, your organization can build its reputation and trust with customers and demonstrate how seriously you take the management of data.
Above all – for each and every organisation – ignoring GDPR is not an option, but instead it should be embraced for the opportunities it can bring.
This content piece was a joint effort with AXELOS, CyNation and UK Cloud.