Earlier this year, following months of uncertainty, the United Kingdom officially committed to adopting the upcoming European General Data Protection Regulation (GDPR) despite its vote last year to leave the European Union. This formal adoption makes it clear that UK organisations must start preparing for the new legislation to take effect on 25th May 2018. In September the UK also plans on introducing a Data Protection Bill that will incorporate many of the GDPR requirements.
The new regulation provides much higher fines for not reporting data breaches, along with provisions for greater individual data privacy, the right to erasure and a mandate for some companies to employ a Data Protection Officer (DPO). In addition, the regulation applies to not only UK and European countries, but any country that handles European customers’ data. Almost every large global company (and every European individual) will be affected.
These new rules can get confusing for organisations so we've tried to give you a starter of three recommended steps for getting your organisation ready for the GDPR and keeping your employee and customer personal information safe:
Step One: Conduct an audit of all the private data your organisation owns and document your processes.
Ensuring that you are taking the necessary steps to protect an individuals' privacy starts with understanding the data your organisation owns, and then classifying that data and where it fits within the new requirements.
Under GDPR, organisations are also required to maintain records of their processing activities. If you have inaccurate personal data and have shared this data with another organisation, you must inform that organisation about the inaccuracy so it can correct its own records. This won't be possible unless you know what personal data you hold, where it came from and who you share it with. That's where documentation comes into play. Organisations should document everything to ensure they can comply with the GDPR's accountability principle by having effective policies and procedures in place.
Step Two: Understand the right to erasure.
After conducting your audit, you'll know which types of data you have and any potential issues that may arise, but you can also begin to remove individual records and erase them as necessary. This allows you to clean up your data, making you less likely to be heavily affected by any potential data breaches.
Proactively planning for the removal of data also helps organisations meet "right to be forgotten" requirements, while also decreasing the chances of being investigated and fined by the Supervisory Authorities. An important point to remember is the right to erasure includes all log entries and means erasing forever—not just deleting files on a surface-level basis (i.e. sending them to the Recycle Bin).
Step Three: Appoint a DPO or equivalent steering group if necessary for your organisation.
The GDPR requires organisations to appoint a DPO if they "engage in the large-scale monitoring or processing of sensitive data." So whether you choose to hire internally, externally or outsource to a third party, it's a good idea to have a person(s) appointed to be directly in charge of data protection. In addition to facilitating compliance by using accountability tools (such as carrying out or ordering data protection impact assessments and audits), DPOs act as intermediaries between relevant stakeholders (such as supervisory authorities, data subjects and business units within an organisation).
Of course, these are only three of several major steps your organisation must take to be ready when the GDPR comes into effect next year and there is much more guidance available from the ICO. But when it comes to securely erasing data, Blancco and Softcat can help with software-based data erasure solutions that erase sensitive files and folders and help you achieve compliance with the 'Right to Erasure'.
Protect your customers' personal data
Visit Softcat's GDPR hub, and contact your Softcat account manager today to start better protecting your customers' personal privacy.