For the past year or so, cyber security experts have been asking, with increasing concern, whether you’ve complied with the EU General Data Protection Regulation (GDPR) yet.
Hopefully you have, but it’s important to remember that compliance isn’t a fixed state. It’s not a point you get to where you can stop and think “mission accomplished”. It’s something that needs to be achieved and maintained – not only to prevent standards from slipping but also to stay on top of changes in the cyber security landscape. This is always a problem with regulatory compliance: organisations spend a lot of time and effort on their initial implementation project, but don’t keep up the work and soon fall out of compliance.
The consequences of this could be costly. Failure to comply with the GDPR can attract fines of up to €20 million or 4% of annual global turnover, whichever is higher.
The good news is that maintaining compliance shouldn’t be as hard as achieving it, particularly if you are well prepared. Here are three tips to get you started.
Conduct regular data flow audits
Data flow audits enable you to identify the information in your organisation and how it moves from one location to another, such as from suppliers and sub-suppliers to customers. You should have conducted, or be planning to conduct, a data flow audit as part of your initial compliance project, but you should repeat the process regularly to account for unforeseen or unintended uses of data.
Review your technologies and organisational processes
The GDPR mandates that technological and organisational measures be “appropriate”. This is a deliberately vague term that accounts for the fact that best practices are constantly evolving. Rather than specify some technology that might be outdated in a year or two, the Regulation leaves it up to organisations to keep track of the best solutions.
Stay on top of staff awareness training
The GDPR states that employees need to be enrolled on regular information security staff awareness courses. This should already be common practice in your organisation, but it’s essential that staff complete these courses during their induction and repeat them at least once a year. Courses should also include information on the GDPR’s requirements and how employees can comply with them.
Organisations often struggle to put together a comprehensive programme that addresses everything that employees need to know. Many find it easier to turn to third-party solutions, such as our information security and GDPR staff awareness e-learning courses.
These online courses cover everything your employees need to know and allows them to study at a time and pace that suits them. You don’t need to worry about finding qualified teachers to deliver courses at set times or significant drops in productivity, as employees can pick up the course whenever a suitable time arises. All you need to do is check that they’ve completed the course and document it.