If you’ve recently found out that you need to comply with the EU General Data Protection Regulation (GDPR), and all you’ve been hearing about it since are the monumental fines that non-compliance will bring, you might be panicking. But it’s not too late. For one, the rumours of supervisory authorities’ desire to discipline organisations has been greatly exaggerated.
It’s also not as if you can’t continue putting measures in place after the compliance deadline on 25 May 2018. Your supervisory authority will almost certainly be more lenient if you show that you’re committed to complying with the GDPR and have at least begun to take the necessary steps.
One certainty is that you need to act as soon as possible. This blog covers four essential steps that organisations should ideally have taken before the Regulation takes effect.
Create a data map
Knowing the who, what, where, when and why of data collection and processing is essential for GDPR compliance. Before you can put in place measures to protect information, you need to know what data is collected, where and why it is stored, and when it must be removed.
Organisations often aren’t fully aware of this information. A data map addresses this; it’s essentially a review of the way in which data moves from one location to another.
The key elements of a data map are:
- The information itself (names, card data, biometrics, etc.);
- The formats in which information is stored (hard copy, digital, etc.);
- Transfer methods (the way it’s communicated, such as by email or telephone, and whether it’s transferred internally or externally); and
- Locations (offices, the Cloud, third parties, etc.).
Change the way you collect data
The GDPR states that organisations can only collect data if it has a specific purpose and retain it for as long as it meets that purpose. For many organisations, this will mean having to scrap their standard procedure of collecting as much data as possible and using it as and when the need arises.
Instead, organisations will need to tell individuals what their data is being used for when it’s collected. The GDPR outlines six lawful grounds that organisations can use to justify processing. Most organisations currently use consent, but the GDPR discourages this by toughening the requirements for lawful consent. Consent should therefore only be sought if none of the other lawful grounds apply.
Implement adequate technical controls
The GDPR advises organisations to pseudonymise and/or encrypt all personal data. This won’t stop malicious actors accessing the information, but it will make it much harder for them. According to Gemalto’s Breach Level Index, only 4% of data breaches since 2013 have involved encrypted data.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Educate your employees
Anyone in your organisation who handles personal data needs to be aware of their obligations. After all, robust data protection policies and procedures will be of little use if your staff aren’t aware of them or aren’t following them.
It can be tricky to put together a programme that covers everything your employees need to know, which is why many organisations use existing courses, such as our GDPR Staff Awareness E-learning Course.
This course introduces employees to the essentials of the GDPR, including:
- The key data protection roles;
- The scope of the GDPR;
- The six principles for collecting and processing personal data; and
- How to comply with the GDPR.