In the latest of our GDPR doctors features, in which our legal and technical experts explain what companies should know ahead of GDPR’s arrival on 25 May 2018. Neil Larkins, COO of Egress Software Technologies, explains how to tackle GDPR preparation if it’s passed you by so far, which has been the case for one business owner.
As we’ve only got a few months until these new regulations become law, is there anything we can do to prepare quickly? GDPR has crept up on us a bit – what can we do to get up to speed from almost scratch?
To start with: don’t panic. There’s a lot you can get done in four months, but it is going to take some consideration to work out what’s best for your business.
Precisely what you need to do is going to depend on a number of factors – what your organisation does, its size, what data protection policies you already have in place and so on. However, here I’ll run through some pretty general things you need to get cracking on in the run up to May 25th.
(1) What data is where?
I talked about this in more detail in an earlier column here, but before you can make any GDPR preparation decisions you’ll need to have a good understanding of what data your company holds and where it is by conducting an audit. This should be your starting point. Depending on what your data handling and storage procedures are, this can be a small job or a big one – either way, it’s crucial.
(2) Review your current data protection procedures
There’s every chance you’re already meeting a number of the requirements of GDPR preparation and, at this stage, there’s no need to reinvent the wheel.
Take a look at what you are doing now and assess if you are already compliant in the various areas. If you are, you may wish to tighten up some procedures later down the line, but for now focus on those areas where compliance is currently an issue.
(3) Is it sensitive?
Not all data is created equal so once you have completed your audit, it’s worth classifying it so that different measures can be taken for handling credit card details, for example, over order numbers (although if the two appear together, it will need to be treated as sensitive).
While you want to make sure sensitive data is classified as such, overdoing it can be a hindrance to the business and stops people doing their jobs effectively – which should be avoided.
Real Business is hosting a free webinar on Tuesday 6 March at 1pm to help all growth companies ensure they’re compliant and in the clear of hefty penalties, so be sure to register.
(4) Technology investments
Depending on what you discover throughout the GDPR preparation audit process, you may want to invest in some technology to help carry the burden of achieving and demonstrating compliance. You should look to do this as soon as possible in order to find the best possible vendors for your needs. Technology that may well be required includes:
Secure storage systems – it goes without saying that, particularly if you’re using the cloud, you need to make sure security is watertight. Depending on how much sensitive data you hold (and what it is) you may also want to invest in specialist secure storage and sharing systems to be sure.
Identity and Access Management – data should only be accessed by the people who legitimately need it. IAM tools will not only verify those accessing information are who they say they are, but also allow policy-based controls that mean anyone who doesn’t need access to certain files to conduct their day-to-day job, can’t have it.
Encryption – the ICO has stated that if, in the event of a breach, data has been rendered unintelligible (as it would be through encryption) data subjects do not need to be notified. It is, therefore, highly recommended that you invest in encryption technologies.
(5) Communicate and prepare
Compliance is a team-wide effort and you will need to communicate with employees about the new policies and procedures you have in place. If, for example, an employee inadvertently emails an unencrypted spreadsheet with sensitive data to the wrong person, what should they do? Discussing these scenarios and the steps to take are going to be important for GDPR preparation – particularly in the event of a data breach.
At some point throughout this process you will also need to appoint a Data Protection Officer (DPO). That person can be recruited in especially for the role, or it can be included in a current member of staff’s responsibilities – such as a CIO or IT manager.
When you choose to appoint this person will be up to you, but having them in from the start of the GDPR preparation process can make things run more smoothly.
The overarching advice for GDPR preparation is to take it one step at a time, do your due diligence and – crucially – don’t panic.
If you have burning GDPR questions that you’d like answered, please send them to email@example.com and we’ll get these answered for you.
GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.
This time on GDPR doctors, we have a new doctor of legal taking on an enquiry from a business leader who has raised some data concerns.
Share this story