GDPR is now well and truly established on the agenda for 2018 with the regulations coming into force on 25th May 2018, but it is important to understand that compliance with the new regulation requires ongoing work beyond this date rather than just a single point of time.
The Information Commissioner, Elizabeth Denham, highlighted in her recent GDPR Myth Busting blog 9 that GDPR is not Y2K.
“It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”
Elizabeth Denham, Information Commissioner
The point being that though organisations are focussed on the May deadline, and there will be no ‘grace’ period for this according to the Information Commissioner, it goes beyond this. There will need to be continual review and effective accountability to demonstrate that the GDPR principles are embedded across your organisation as part of your normal business practices.
GDPR -ongoing compliance
Implementing an Information Security Management System (ISMS) such as ISO27001:2013 is a great tool to help you identify your data flows and put appropriate controls in place. It also means that you are continuously checking and reviewing your organisational processes and controls to ensure they are still achieving the information security objectives.
It is important to create a culture that respects the rights of Data Subjects and acts appropriately, and now is the time to review your third party contracts to ensure all parties are aware of their responsibilities.
Data Breach Incident Procedure
Think about designing and testing a data breach incident procedure so that you have a process in place to report within 72 hours if the worst happens, you have a plan ready, know who to contact and have people trained ready to deal with this.
Data Protection Impact Assessments (DPIAs)
Data Protection Impact Assessments are now an essential requirements if you are designing or modifying a process that involves Personal Identifiable Information (PII), to help you identify and minimise risks to data. They support the concept of Privacy by Design and Default, making sure that this is an integral part of the design from the first stage. DPIA’s are normally embedded within an ISMS.
Continuous security testing
Be in a position to be continually assessing and testing for vulnerabilities as part of your ongoing compliance, using recognised annual certifications such as Cyber Essentials Plus which includes internal and external vulnerability scans and enables you to demonstrate that you have taken appropriate steps to address security vulnerabilities and cyber risks.
Staff Awareness training
Staff can help be part of your best defence, but are often the cause of many breaches. Provide ongoing, regular, awareness training to ensure staff know how to support your business, understand your processes and be part of the responsible practices embedded within your organisation.
The new regulations will provide opportunities for organisations to make good data protection part of how we do business and this will benefit their customers, their staff and their reputations.