Most organisations will be able to relate to being overburdened with data, unsure where it is or even what it’s doing. Archiving is the norm because out of sight is out of mind.
Functions and architecture are driven by the need to accommodate data and often ringfence data in order to protect it, while functions continue to collect data irrespective of the use and value it drives within the business. GDPR will look to resolve all of that.
One of the key concepts within the GDPR is the ‘controller’. Each time an organisation processes data, whether personal or not, they are in effect a controller or a processor.
The first question to ask yourself as an organisation is whether you are acting as the entity that determines the purposes for which and how that data is held or processed – if so you’re the controller.
Being the controller is most certainly not something to fear – in fact it’s something to embrace. It gives you the opportunity to drive value from that data, so long as that value is derived through the right means and methods. Along with the collection and use of personal data it is essential that you understand your role as a guardian of data and the management requirements placed on you as a controller. Key changes see the legislation champion a much more active role for the controller of the data including high level responsibilities such as:
- Personal data must be accurate and, where necessary, kept up to date. every reasonable step must be taken to ensure personal data are accurate. Have you got the right controls and workflow in place to maintain your current data, and how have you change the way you bring data into the organisation?
- Minimise data where possible. How can you change user behaviour from “keeping it because we might use it in the future” to “if it’s not being used and there is no agreed future use, it does not need to exist within the business”?
- Data pseudonymisation should be driving the way you store and use data.
- You must perform Privacy Impact Assessments to analyse and minimise the risk to your data subjects prior to the commencement of new processing activities and for existing activities it is critical that you carry out ongoing and regular assessment of those activities.
- Data Breach Notifications mean that you will have to be prepared and ready to alert regulatory authorities within 72 hours of discovering a breach and will have to do everything in your power to make the data subjects affected aware of the impact and or risk to them of the breach.
- Whilst the SARs (Subject Access Requests) have been an existing feature of the Data Protection Act, the GDPR is likely to see an increase in SARs whilst controllers must action these requests without undue delay and in any event respond within one month of receipt of the request.
- Consent-driven processing means that you can only process data for the express intention that was agreed upon by the data subject and any processing beyond that remit is unlawful without clear consent.
- Withdrawal of consent will require that you stop any processing in its tracks wherever it is in the business – and consent must remain as easy to withdraw as it is to provide, meaning that if you can consent with a tick box you must be able to withdraw using a tick box.
Following the successful understanding of all of the implications the legislative mandates above provide you with, you’re now ready to start using your data in line with the GDPR. Accurate data that is up-to-date will yield data that is of a higher quality and can provide improved accuracy of business insights, be it HR, marketing, operations or other. Effective data minimisation can also provide major cost savings to the IT organisation, removing stale data frees up space and reduces the amount of storage expenditure by the business. Understanding exactly which areas of your business are personal data heavy will allow you to better architect now and in the future and better protect the areas that need it most, improving the effectiveness of investments in security spending in the long run.
Xonetic has the relevant experience and expertise to mature data controlling within your organisation to compliance with The GDPR. We help you answer the key questions that The General Data Protection will ask of your organisation as a data controller delivering compliance and business assurance.
GDPR will require a change in the way that your organisation thinks, appropriate technical and organisational measures that are demonstrable will need to be implemented along with appropriate data protection policies and Xonetic can effectively deliver the organisational change you need to effectively control your data.
People management when controlling and processing data becomes critical within the new regulation and alongside an education piece it is imperative that you understand the need for responsibility and accountability within the organisation where roles and responsibilities are clearly outlined and executed to maintain the integrity of the organisation and protect the freedoms and rights of data subjects.
So what are the requirements that you should start thinking about as a controller of data?
- You must be compliant with the GDPR by 25th of May 2018.
- You must ensure that GDPR compliance is driven at a board level.
- Understand the proliferation of personal data throughout your organisation.
- Understand the crown jewels in terms of personal data – what is likely to have the largest impact if breach, what is your level of data protection maturity in that area and what is the gap between current and required compliance.
- Coordinate the education of your workforce, GDPR is a much cultural as it is technical.
- Remove barriers to prevent shadow activities, move away from “you can’t do that”, to “you can do that, if…”