It is not commonly known, but 28th January is Data Protection Day (known as Data Privacy Day in some countries). The Day is an educational initiative with the aim of raising awareness of and promoting data protection best practice. The timing could not be more appropriate, as the General Data Protection Regulation (or GDPR) is high on of the agenda of most organisations, and if it isn’t then it should be.
One of the challenges of GDPR is demystifying what it means in practical terms for organisations and how to get started on preparing for compliance. These were among the many questions raised by the attendees at the GDPR events we ran at Tower Bridge in London on 19th January. Headlined “GDPR: Control Your Data”, we were joined by two guest speakers with considerable knowledge on the subject.
Sean Huggett, from our information governance and cyber security partner, Cybercrowd, set the scene by covering the implications of GDPR and steps to consider now. He explained that GDPR comes into force on 25th May 2018 and will profoundly reshape the way that organisations handle data protection and governance. It will apply to all 28 member states of the European Union (EU) and will affect all organisations processing the personal data of EU citizens irrespective of where the organisation is based. The regulation broadens the types of personal data that are protected, increases the rights of data subjects, and places new and substantial obligations on data controllers and processors. The penalties for non-compliance are potentially huge and are intended to be dissuasive. The data protection authorities will be entitled to fine organisations up to 4% of worldwide turnover or €20m (whichever is the greater) for the most serious infringements.
Sean provided the attendees with four practical steps to start working on to help prepare for compliance
1. Understand Your Data:
Audit the personal data you hold, understand how it was collected and why, what it is used for, what the internal data flows are and where data is transferred externally, where it is stored, in what format and more. Then apply the 6 key principles within the GDPR and assess the risk of processing the data through Data Protection Impact Assessments.
2. Document Your Processing Activities:
Understand the documentation obligations in the GDPR and put these in place. Document how your organisation complies with GDPR and create an audit trail that demonstrates that you have accepted accountability for protecting the personal data you process and consistently apply best practice.
3. Apply Technical & Organisational Measures:
Review your security posture and information risk management framework and bring them in line with best practice. This should cover people, process and technology, and cover not only protection but also incident detection and response. Ideally, organisations should achieve a recognised accreditation to help demonstrate that they follow best practice.
4. Review 3rd Party Relationships:
Make sure you know and manage your data processors and ensure that they are committed to meeting their data protection and GDPR obligations in your contracts.
The starting point of understanding and auditing your data will be daunting for most organisations, given the amount of data we store and archive, and the spread of locations we use, including on-premise storage, cloud storage, public cloud environments, SaaS applications, end points and more.
Tom Sargeant, Head of Technology with our information management solution partner Veritas, explained how their tools were helping organisations audit and map their data. Tom explained that only 15% of the average company’s data is considered business critical, that 33% was redundant, obsolete and trivial (or ROT for short), and that 52% is ‘dark’, meaning that no value has been assigned to it. Understanding what is ROT and dark enables organisations to erase what might be personal data with no value to the organisation (thereby reducing their risk of losing that data) whilst also reducing data stored and ongoing infrastructure costs.
Get your organisation ready for GDPR
Although Data Protection Day is coming on Saturday in reality, every day between now and May next year, and thereafter, is going to be a Data Protection Day. Softcat can help you prepare for GDPR with specialist services and technology solutions. Talk to your Softcat account manager or get in touch using the button below for more information.