Practical last minute advice on GDPR readiness
)
GDPR comes into effect on May 25. And let’s be honest, you are probably sick and tired of hearing about it. But still, it’s crucial you have your house in order. If you haven’t managed this already, don’t worry, there’s still time to get the ball rolling.
Before we get stuck in, it’s worth noting that this article simply contains general tips to set you in the right direction. At no point should it be construed as legal advice. If you’re unsure of anything, please do seek legal counsel.
Ahead of the May 25 deadline, Venturi’s Voice asked industry experts Dominic Johnstone and Emerick Desormeaux on how to address looming GDPR challenges.
Dominic Johnstone is an information, records, and GDPR consultant. Previously he was Head of Information Management Services at Crown Records Management. Emerick Desormeaux is a freelance GDPR expert who specialises in assisting businesses prepare for the incoming legislation.
Here’s their advice.
Risk assessments involve vendors too
You may have already conducted a thorough evaluation of your own business. But does the same hold true for the IT vendors and service providers you depend on? How to properly assess risk management beyond your own organisation is critical for GDPR implementation.
“Most credible vendors will have put a process in place to notify their customers where they stand with regards to compliance with GDPR. Clearly, your business processes and the way you handle personally identifiable information need to be reviewed in line with their processes too,” said Dominic.
It’s important for your organisation to have appropriate agreements in place with third-party vendors for breach notifications. Also keep a keep an eye on service-level agreements (SLAs) as they pertain to existing contracts.
Consider keeping data local
Where businesses store information on their users is becoming as important as how it’s stored. GDPR is pushing businesses to have full knowledge and control over where data is housed. But in today’s era of cloud computing, data is constantly moving, making it difficult to be compliant with these demands.
“Chances are you will probably find that you have sensitive data held in many more systems than you initially thought. Look at email, social media, websites, online storage, local storage, paper ERP, CRM and other lines of business systems to ascertain where your data risk is. Some providers allow you to stipulate where in the world your online data is held, sometimes at an additional cost” said Dominic. Having a presence in data centres across multiple regions is helpful as choosing to store data locally minimises the impact of the new regulations.
The first step in tackling this challenge is always a data audit. Emerick recommends performing a data audit over all internal infrastructure while simultaneously conducting a similar audit for activities outsourced to IT service providers within the European Economic Area (EEA) and in Third Countries. Equipped with the results of these audits, you will be in a better position to strategically plan where best to house your data.
Get serious about data classification
Is your user information being properly identified, organised, and processed?
Data classification is an area of GPDR that requires a significant amount of work and assessment. The regulation is littered rules governing how organisations document information collected on users without breaching user agreements. User data can only be used in a way that’s inline with collected consent.
Being able to track user data end-to-end across all applications is quite a difficult problem to solve. Emerick explained that there are two options to consider here: (1) a typical data classification solution or (2) a big data search application.
“Most organisations use multiple systems for their daily activities. A basic SQL-type query would not cover all systems to identify and retrieve personal data. Therefore, the first solution and most appropriate in the long term is to identify the current data classification logic your company uses and to transition gradually to an automated or semi-automated solution. Alternatively, big data applications like SOLR are free and can provide an interim solution at reduced cost,” he said.
Dominic reiterated this point, highlighting the fact that the key to solving the problem of classification lies in automation. “Understanding the types of information that you store determines the classification that you apply. There are automated systems that will analyse all relevant content, understand the context of each piece of information, and then automatically suggest where it should be stored and how it should be processed,” he said.
However, it’s clear not everyone has gotten this message. Data protection specialist AvePoint polled 239 organisations on their GDPR readiness. They found that most companies are still relying on manual data classification processes. Only nine percent of organisations use automated tagging in this regard.
Responding to GDPR data subject access requests (SARs)
Under GDPR, organisations must provide users with a copy of their data if they request it. This must be done within a month and at no cost to the user. There is some wiggle room, however. The deadline can be extended to three months for complex requests and organisations can charge a “reasonable fee” for additional copies of a user’s data. Nonetheless, Emerick advised sticking to best practices.
“The solution lies in a combination of changes in people, processes and technologies. First, the organisation must define a procedure to handle SARs which should cover an identity verification, IT requests to retrieve data, and approval of findings. Defining responsibilities, response time, and required technology are the other key success factors to consider during the design phase,” he said.
Dominic pointed out that even when you have all the right processes in place to handle SARs, you still need to be careful about the information you release. “It’s possible that the information you release in response to an SAR could end up inadvertently exposing another users private data” he said.
Don’t neglect physical security
Most discussions on GDPR concern safeguarding the privacy of user data with cyber security measures and data management policies. As vital as these are, businesses must also take into account the physical security of their data centers and the systems within, reminded Emerick.
“Personal data is ultimately stored in physical infrastructures whether the organisation uses cloud storage or not. Moreover, GDPR covers all personal data stored in physical archiving facilities. Therefore it is crucial to consider access to data, systems, and physical information assets while conducting privacy reviews and defining remediation actions,” he said.
Be proactive
The one thing you should not do is sit tight and hope for the best. Although the ICO may have their hands full with egregiously non-compliant organisations over the summer months, that’s no reason to believe you can fly under the radar indefinitely. As mentioned at the outset, if in doubt seek legal counsel about the steps that are most appropriate for your own organisation.
For more information on how to successfully navigate the changes GDPR will bring – check out our podcast with Ian Bourne. Ian is an ICO leader with more than two decades experience in the organisation.