As 25th May 2018 looms closer, Information Security personnel and anybody responsible for data protection should be ready to ensure that their organisation has completed their GDPR compliance checklist for the General Data Protection Regulation coming into force on that day.
Data Privacy Impact Assessments (DPIAs) should be well on their way to completion and Data Flow Maps drafted, if not already pinned to the walls of your ‘War Room’ as you manage the mass of information that tracking Personal Data (“Data”) has caused!
Keeping Data-tracking simple is the key. Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data set used in multiple places for different legitimate reasons for collection and processing.
As Intercity’s Information Security & Compliance Manager I am responsible for our GDPR compliance project. From my experience, a key tip is to look at the processes that employ the Data and track them rather than trying to track the full lifecycle of the Data all at once.
Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data
Provided that you keep the Source of Truth, tracking the process enables you to tackle bite-size chunks with the relevant stakeholders and ask the following questions for each process as part of your GDPR compliance checklist:
The answers to these questions could be “Yes, we use the Data” or “No we don’t need the Data any more as we now have access to the system” or even “I like keeping the Data, just in case.”
GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth. It’s intended to ensure that you:
GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth
Remember - Data doesn’t belong to the company, it's just on loan from people who are entitled to expect that it will be used only for the purpose that it was collected and will be safe in someone else’s hands
People are one of the biggest risks as we can’t control everything that they do. You can’t put a firewall or some configuration in front of someone to say you can’t process Data in that way or if you get this Data, you must do a particular thing with it.
People are independent, so although you can influence them, you can’t control them. So how do we mitigate the risk? Employees should understand the risk associated with Data, particularly that which they hold or process. A training program including Data protection and information control should be given to everyone, supported by published, accessible policies and processes on: information classification, document control and acceptable use of equipment.
Employees should understand the risk associated with Data, particularly that which they hold or process.
Technology also plays a massive part of any key business process. From small SMEs to Enterprises, technology is everywhere. From obvious visible technology like laptops, mobile phones, Internet, email and applications, to technology used in the background like servers, cloud computing and firewalls - the list goes on and on. Ensuring the security of all technology that collects, or processes Data should be a key part of your GDPR compliance checklist.
People are independent, so although you can influence them, you can’t control them
ISO27001 Information Security accreditation is a key indicator of how seriously an organisation takes security. ISO27001 certification ensures the ongoing confidentiality, integrity and availability of information within the business. Have you asked your suppliers whether they have this certification?
Ask for a copy of the certificate along with a signed Code of Conduct - this will give you more confidence that any outsourced processing of Data is being handled appropriately.