As Game of Thrones fans would say, GDPR is coming! Many companies around the world and especially in Europe are feeling the stress building. There is still a significant amount of confusion around the implications of General Data Protection Regulation; concerning as it’s rapidly advancing on us and will kickoff on May 25, 2018.
As we start talking to organisations, we hear a lot of questions like
"What should my company be doing before May 25, 2018?"
"What will happen if I do not comply with GDPR before the deadline?"
"How will my company be affected by GDPR?"
To answer these questions, it is essential to understand what we’re dealing with.
If you’ve previously worked with data regulations then you possibly have a basic understanding of GDPR, will certainly have heard of it and of the implications of not complying when it comes into effect. This is critical as the penalties if you are found to be non-compliant are significant.
So, in a nutshell, - GDPR visualises each individual a business communicates with (internally or externally) as the central point. It also views every interaction as a digital footprint that needs individual management based on the rules laid out by the GDPR.
Many non-EU countries ask the question - "Is it necessary for my organisation to be GDPR compliant?” It is quite simple to figure this out. The need for GDPR compliance entirely depends on whose data you possess. If you gather data on an EU citizen, you are liable to the regulations. This includes data gathered in order to make a transaction, or exporting an item to a person in the EU. It even counts if you’re sending an item inside the U.S., if the buyer makes the payment with a credit card from the EU.
The GDPR influences the manner in which we collect and manage data, the duration we hold it and for what purpose. It also concerns how we interact with individuals using the data we possess, how we anonymise the data and how we delete the data.
There should be a set process to control responses to customers exercising their right to be forgotten and there is a strict time limit for these requests to be actioned.. The reality is that some businesses are now required to appoint a data protection officer (DPO) or data protection agency. GDPR has taken on an entirely new level of importance over and above the Data Protection Act it replaces.. With that, GDPR guidelines has required most organisations perform a comprehensive business process overhaul.
Keeping this in mind, many organisations are considering shutting down a system or platform as a viable solution , as they know they cannot ignore GDPR and don’t want to risk being fined. Consider this: it - how many days can you run your business without those important systems, possibly even those forming part of your HR or your BI functions? After all, you implemented and developed the systems because your business needs them!.
Clearly, shutting down key systems is not a solution. It A far better solution is to become GDPR compliant. Naturally, the next question is - ’What do you need to do to become GDPR compliant?’
To begin with, a good IT Security audit is necessary, enabling you to assess where you’re starting from. This provides a starting point to understand what is needed in order to become GDPR compliant. Here’s a video on why completing an IT Security Audit is essential: -
These initial questions will help you to assess your IT Security parameters :.
1. What data does our company possess?
This one is pretty easy. List the various systems that exist in your organisation - HR, ERP, CRM, and document the data structure in each system, focusing on any user specific data
2. Where is all the data stored?
From answering Question 1, you should have a complete list of your organisation's IT systems. Next, you need to figure out where those systems store their data. This could be in the cloud, on a physical server, in a datacenter etc, so will need you to be very specific with the actual data locations. During this process, you may discover more systems that weren't initially on your list.
3. How do we use this data?
In a generic sense, know you use the data for business operations. However, do you realise you also need to consider details of budgets analytics, market research and other tasks that you may have neglected to include??. With GDPR being just around the corner, collecting information about each of these functions so you may include them in the audit is very important..
4. Who can access our data?
You will need a full understanding of who can access the data in the systems and various locations, including anyone who uses the data for marketing, analysis or even just storage.
No doubt, by the time you have completed this process, your list of IT systems and data usage has probably increased since your initial assessment. This makes your search to find who has access to your data even more challenging.
Talking to more people within your business may lead to added confusion as to what exactly needs to be done to get out of this crisis. Instead, we recommend you follow a more practical approach to become GDPR compliant. Take advantage of GDPR as an opportunity to strengthen your management control and security of all the data platforms in your organisation.
With May 25, approaching, all businesses need to get up to speed quickly with GDPR compliance. Ensuring compliance requires a number of tasks but to get to the finish line, so start with a comprehensive IT Security audit.
For an extensive IT Security audit, please get in touch with our team of experts. We're here to help businesses like yours achieve GDPR compliance before the deadline.