GDPR has many requirements which, for most, are completely new. The most challenging part of compliance will be withdrawing consent, also known as the ‘right to be forgotten’, something we’ve seen take considerable steps forward in the wider context of the Internet. For businesses, this means being able to discover where data is stored and potentially delete all references to the EU citizen making the request. While this is relatively simple for information in databases, it is the unstructured data on laptops, file servers or held in the cloud which will create a significant issue for organisations. Following these steps will help you to focus on priorities and accelerate compliance.
As with most businesses, once the need to comply with the GDPR is understood, the next question is where to begin. In all my presentations I put forward a practical approach to GDPR compliance which works for organisations of all verticals and sizes, and no matter what country they operate in:-
Download and read the regulation, understand how it fits into other regional regulations a business might need to comply with, then how that maps to internal standards including risk management, IT systems and policies.
Undertake a Data Flow exercise with the various departments of your organisation that process and share critical data. Leverage technology to ‘monitor’ use and help you gain visibility of how critical data flows in and out of your organization.
3) Discover where GDPR relevant data is stored/located within your organisation
Carry out a ‘Data Discovery’ exercise across your organisation. Scanning your organisation for critical data will provide you with a list of files which contain GDPR-relevant data and where that data is located (e.g. endpoint devices, servers, networks etc.). This will be essential for a ‘right to be forgotten’ request under the new legislation, but it can also be used to better understand compliance complexity.
The results of your mapping, monitoring and scanning exercises will highlight gaps in your data processing and security technology. Use your findings to document a plan of action and a strict timeline to make the changes and improvements required so your organisation will effectively comply with the GDPR by the time it is enforced (May 2018).
Technology will play a part in your GDPR compliance project, help you to comply with the regulation, and maintain ongoing compliance. Choose technology that automates manual data protection processes, enforces security policies, provides you with visibility of data flowing in and out of your organisation and increases the security and protection of critical data.
The road to GDPR compliance requires a mix of analysis and research on people, processes and technology within your organisation. This presents an opportunity to obtain a granular understanding of how your business operates, and evolves the way you collaborate and do business.
A well-executed GDPR compliance project will not only reduce the risk of a data breach and help you comply with the GDPR, it will also grow the trust your customers and prospects have in you, and ultimately grow your business.