What is GDPR?
Simply put it is new legislation that is aimed to give control of people’s personal data back to the subject. It is an expansion on the data protection act with added points around accountability. It applies to personal data and sensitive personal data.
Who does it affect?
The GDPR applies to any ‘controllers’ and ‘processors’ of personal data of organisations that offer goods or services to individuals in the EU. Yes – if you are an organisation in the US that works with organisations in the EU then you are affected.
Where can I read more about the facts?
With those three points covered you will have an idea of how GDPR might affect the organisation you work at but what are you going to do about it? I have put together a 6-step process to help you get started.
- Work out if this is important to your organisation. This might seem like the wrong approach, but it amazes me how many people I see over investing in things that offer no value and have little risk, just because somebody said they should look into it. Once you have an idea of the appetite of your organisation to comply you can move on.
- Work out how much time and effort you want to put into this. As with all things you can aim for 100% compliance but is the cost worth it? Weatherspoon’s in the UK took drastic action based on their risk/reward profile and decided to delete their entire customer database. That might be a little overkill but work out where you sit on the scale.
- Build a team around you. This probably isn’t a one woman/man job and you will need to raise the visibility of the topic if your CEO so get the right players on your side and form a working group on the topic.
- Start the work of digging into the legislation and defining actions that you can take as an organisation to move towards compliance. Some actions will be simple, others will look like they are unachievable at first.
- Put together a plan on how you can start actioning some of the actions to move your organisation closer to GDPR compliance. This plan is VERY important at is will be your evidence trail that you can provide should your information commissioner’s office come chasing.
- Action the plan – #easy.
Unfortunately step six probably isn’t as easy as you want it to be. If only there was a silver bullet that would solve everyone’s problems, that just isn’t going to exist for GDPR compliance. Every organisation is different, using different technologies, processes, people and with different risk appetites, so the action plan will vary. If you see somebody selling your complete GDPR solution then walk away as they probably haven’t read it and certainly don’t understand it.
Here at RecordPoint we have considered the legislation and split it up into 5 sections that we will look at. For each section there are several relevant articles from the legislation and there are many tools that you can use to help you get to a level of compliance within each.
Identify, Discover, Retain, Protect and Monitor.
Identify – GDPR Article 30.
Identifying the personal data within your organisation, who has access to it and understanding how long it should be retained for all fall within this category.
Discover – GDPR Articles 15, 16, 17, 18, 20.
Managing subject access requests including the right to data portability, a right to correct the data and a request for deletion of the data.
Retain – GDPR Articles 5, 17, 32.
Being able to retain personal data for a period of time, directly related to the original intended purpose. Being able to use retention policies to expire data at the end of this period.
Protect – GDPR Articles 5, 25, 32, 33, 34, 35.
Ensuring you have measures to show how you are protecting personal data that you store and make sure you have considered data protection into all activities.
Monitor – GDPR Articles 5, 15, 16, 17, 18, 20, 24, 35, 42, 44, 45.
As an organisation, monitor and act upon certain types of data breaches to relevant authority and in some cases the individuals themselves. You must be able to monitor for breach activity and trigger processes and procedures to ensure compliance.
As for the tools that will assist you with each of these section, you never know you may well have a set of these. I often talk to people who think they need to go and buy a GDPR solution, but really what they need to do is understand from the above 5 sections what they are trying to achieve and what technology would help them in getting there.
I also often say that a lot of what is covered in GDPR is really just good record keeping and information governance and therefore I think we are in a good position to assist you in these areas.
Identify – We have partnered with TermSet who can provide you with tools to scan your content repositories and extract out the personal data. This information can then be used to identify areas of risk and where your organisation should target first from an information governance perspective.
Discover – RecordPoint can search through the personal date identified and allow you to export content so that the right to correct the data can be executed. If a person requests the rights to be forgotten then RecordPoint can also destroy the data in a defensible way, leaving behind a destruction certificate.
Retain – RecordPoint has the capability to keep data based on a classification and retention schedule. Content can be placed on hold or at the end of its lifecycle it will follow a disposal process resulting in an Export, Dispose, Review or Keep Permanently.
Protect – You should ensure that where your data is kept has the relevant firewalls, backup and disaster recovery processes in place. If you are using Office365 ensure that your requirements are met with the license that you have.
Monitor – Office365 has built in protection capabilities that you may require. Their advanced threat protection is one instance of how they can protect your exchange data and get insights into the kind of attacks happening in your organisation.
As you can see, you will need a bag of tools at your disposal to tackle GDRP. We certainly think we can help you with some aspects and would be happy to understand more about the challenge you are facing and ways we can assist.