3 Considerations You Need to Start GDPR Compliance Today
The GDPR compliance and enforcement date is looming close. The reality of it all seems to finally be sinking in for businesses, as those in charge come to terms with the risk that they could be exposed. The realisation that the regulation holds a significant impact on businesses has sunken in. Many are scrambling to start the journey to compliance and to protect the data they process.
The sudden urgency is quite a surprise to me. We began our GDPR process changes over a year ago and I believed senior management would do the same. I thought they would stop in their tracks and take note, but this didn’t happen. Apparently, a €20 million fine just wasn’t enough to grab their attention! It’s such a large fine that many simply don’t believe it’ll happen to them.
Many of those who showed interest in GDPR were quickly put off by the perceived scale of work required. Businesses and management began to relax as the rumour of GDPR being the next Y2K started circulating! But the GDPR is no Y2K. Let’s be clear, this is not a perceived software bug! This is a change in government regulation, the most comprehensive change in data protection laws to date. And it’s come not a moment too late.
I want to share with you today how you can easily start making positive changes for GDPR, and show to the ICO that you are making best efforts for compliance.
How do I get started?
We are being asked this question all the time by our contacts and clients. The ICO has put a lot of effort into ensuring organisations are equipped to deal with the GDPR requirements. Companies who currently have no data protection policies in place may find the requirements overwhelming. Plenty of toolkits and recommendations have been created for those who need a little help.
Because of this question, I have decided to write about the 3 key steps which will help businesses start their efforts for GDPR compliance.
Conduct a cyber security audit
If you get a strange pain in your body what do you do? You probably Google it and self-diagnose (never recommended), then call up your GP to speak with an actual doctor. Your GP is there to find the root cause of your problem, understand the symptoms and identify the underlying issue.
A cybersecurity audit is the metaphorical GP for your GDPR journey. To understand your GDPR and data protection journey, you must first understand the where the underlying issues within your business exist. The issues must then be addressed in a methodical manner.
The audit is the most valuable step in the process. It helps businesses to apply a higher priority to their customers and staff’s personal information. An audit will provide you with the framework to simplify and manage the GDPR journey. Some of the changes that will be required by the audit will be straightforward, and others will be much more complex. Many of the points within the audit will question your business practices and existing policies. For this, working with an expert partner is often recommended, as they can help you identify current gaps, and help you plan the changes required.
The intended outcome of the audit is to provide clarity on your company’s existing cybersecurity gaps, provide clarity on steps, solutions to the issues and a solid plan of action. All this done to ultimately provide you with a government-recognised cyber essentials certification.
Find out where your data is
Unless you are already in-line with the current Data Protection Act (1998), you may find the personal information you hold about staff and customers is not completely accounted for.
The new regulation states that all personal information held on individuals must be readily available. This is so data subjects can assess the validity of the information you hold about them. They also have the Right to Erasure under certain circumstances.
On the surface, I think many people will believe accessing and deleting customer data is easy. All that needs to be done is to check HR or CRM files. However, that’s not the whole story.
Data is shared much more easily than most would assume. Whether it’s email addresses uploaded to a third-party email service, staff passport and visa copies on your payroll system, or excel files containing personal data, many businesses are moving and spreading data without even realising it. This means the data you thought was on just your CRM and HR systems is actually all over the place. So how do we go about rectifying this?
Identifying personal information is a process that can be used within the confines of your business. This process identifies all PII stored on a device and returns the results to you. Like the audit, this will provide clarity on what risks you are faced with, and gives further actions which can be taken.
Update your policies
Having completed numerous client audits, it has become clear that writing cybersecurity policies – a best practice – is not high on the list of SME to-dos. We’ve worked with companies that have been trading for over 30 years, and I’m honestly not sure they would create new policies for their systems if GDPR wasn’t a concern.
If you have no pre-existing data-protection policies, I recommend the following three to get you started.
- An I.T policy
- Systems security policy
- Data protection policy
I recommend these to anyone who is at a loss about where to begin. Regardless of the size or complexity of your system, these are ideal to get you started. Having evidence of a solid policy shows good intent towards the protection of personal data you hold, which is a big step forward in controlling your PII. Taking this action will help reduce your chance of data loss significantly, and will work in your favour with the ICO should you face a loss of PII.
Bear in mind…
The three steps above are not the golden solution. Many more steps must be taken to reach the gold standard, which in the future will undoubtedly become the “default” standard. The remaining steps must be planned to meet budget and resource requirements. Engagement from senior management is crucial for this, and they must drive the change. Those who fail to do so, will leave themselves vulnerable to reputation damage, poor control, and of course, the risk of losing data.
Want to know more?
Why not come to one of our technology masterclasses or hospitality round table if you’re in the industry. They’re both free to attend and have no strings attached. Many have used them as a way to meet peers and network, whilst gaining insight from those who do it all, first hand.
All that I’ve mentioned above is from my first-hand experience of cybersecurity audits and policy writing. With Support Tree as your partner in this process, we provide you with the advice and procedure to help you budget costs and prioritise actions.
Director of Sales and Marketing and Founder of Support Tree
Passionate about helping businesses discover the potential of technology in improving company performance. Determined to renew people’s faith in how organisations store their personal data.