In our previous GDPR doctors feature, Neil Larkins, COO of Egress Software Technologies broke down the basics of the General Data Protection Regulation – now the GDPR doctor discusses getting GDPR compliant.
Do we need to implement new technology to make sure we are GDPR compliant, or do we need to focus on training people?
For the vast majority of organisations, both technology and people are going to have a part to play in becoming GDPR compliant.
But before any real decisions can be made on the steps that need to be taken to be GDPR compliant you need to have a firm grip on a number of things including:
- The data you store and manage, and its levels of sensitivity
- The data you share, and again its levels of sensitivity
- How it is shared – digital / paper / etc.
- What departments / users share specific data types
- Who they share with and where
Conducting a data audit will give you a better understanding about how you store and handle any personal data. If data is stored internally, are processes in place to effectively manage and protect it?
If data is stored externally, has the supply chain been audited to understand where the data resides? Once this information has been mapped, then decisions can be made about the role technology and users will play in becoming GDPR compliant.
However, it is important to note that the two should not be managed in isolation from one another. Used correctly, technology can support and protect users, acting as an additional line of defence, but, at the same time, users need to be educated on the role of technology in supporting and helping them in their day to day work. The more engaged the workforce, the greater the usage of technology – specifically data security.
As an example of risk factors, under the GDPR sending an email attachment to the wrong recipient could constitute a serious breach, but how many of us would admit to having accidentally sent an email to the wrong recipient?
It’s an all too easy mistake to make, but what if there was technology that could be applied to alert the sender to the potential mistake before they hit send? Employees should be aware that care needs to be taken when sharing sensitive information, but technology can also act as a safety net.
Another example would be where a user has misplaced their mobile device. If they are using the device to access corporate data this could represent a potential data breach, but not if the data has been encrypted and administrators are able to remotely kill access.
What technology and training do I need to implement?
While each organisation will discover differing needs once they’ve conducted their data audit, for every business, I would suggest investing in technology that makes data un-identifiable, such as encryption. Often, data is most vulnerable at the point it is shared.
Whether it’s because an email has accidentally been sent to the wrong person, or it’s been shared on a third-party collaboration platform. However, GDPR requires organisations to be able to demonstrate they have put in place the necessary technology and training to protect shared information and, crucially, being able to prove reasonable effort was made may be the difference between huge fines and not.
So, if you have in place policies that can automatically apply encryption, the underlying data remains secure – regardless of a breach.
It would also be a good idea to evaluate your audit and reporting capabilities to ascertain whether or not you would be able to respond to a breach within 72 hours, and how you would manage other demands, such as Freedom of Information requests or Subject Access Requests.
In these areas, it’s likely that you’ll find some form of technology is required in order to automate processes that would be hugely arduous if carried out manually.
In terms of training, all employees should be trained in data security best practices – how to identify a phishing attempt, password management, sharing data securely and so on – if not regularly, then certainly as part of their induction.
They should also be educated on how to use any new technology that is implemented in the run-up to the GDPR in order to ensure they are not only using it correctly, but also that they are using it at all!
If you have burning GDPR questions that you’d like answered, please send them to Zen.Terrelonge@realbusiness.co.uk and we’ll get these answered for you.
GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.[rb_inline_related]