D-Day for GDPR is 25 May 2018

‘Keep calm and carry on’

Christine Andrews, managing director at data governance, audit and consultancy firm DQM GRC, said “keep calm and carry on” seems a fitting theme for the published regulation.

However, she said this is only the case if you’re one of the organisations already valuing customers’ data.

“Unfortunately, for too long, some organisations have presumed consent, worked with implied permission, and experienced data losses that have taken months to detect and report. In some cases, such as TalkTalk, [organisations] have been unable to properly classify what personal data has been compromised.

“No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better,” she said.

Preparing for legislation

According to Andrews, there are a few steps organisations can take to begin preparing for the new legislation immediately.

“First, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company,” she said.

Usually, said Andrews, drafting a data flow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, finally, highlight where the data ends up.

“Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing data.

“Indeed, the GDPR demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data,” she said.

For organisations that pass data onto third parties, Andrews said there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”.

“Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing,” she said.

Data breach response plan

The GDPR also introduces the need for organisations to prepare a breach notification plan in the event that something does actually go wrong.

“If you’re already clear on what type of personal data you manage (categorisation) and where it is (data flows), then this process will be somewhat easier,” said Andrews.

“However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity – and make sure you rehearse this so you are practiced in the actual event. Consider it a data breach fire drill.”

Although organisations have a two-year deadline to become compliment with the new legislation, it is vital to remember that two years can pass quickly, she said. For many organisations, a significant amount of time and financial investment will be required, she added.