The EU is imposing a new law, you may have heard of it – GDPR. Here are our top 5 tips of the GDPR iceberg.
1. Focus on Top Tier Compliancy First.
With either 4% global annual turnover or €20M fine, whichever is higher as the “DISSUASIVE” deterrent it might be worth knowing what you should be doing to avoid this first.
2. Know Your Data.
What do you have as step one, then what do you currently collect and how. Not forgetting to think about mapping where everything is, and that you are mandated to record all activities related to personal data; who does what with what, when and why?
3. You’re liable for your Partners too.
If the companies you’re working with are not compliant then both of you will be liable for fining. If you provide personal data to use within the activity you are engaging with them then you must have “SUFFICIENT GUARANTEES” they satisfy GDPR compliancy.
4. Employ an Outside Gap Analysis.
Do you know how to start this thing? I know I didn’t. The Data Protection Act didn’t get us as far as we thought. GDPR is much deeper and has some teeth. ISO 27001, PCI DSS and Cyber Essentials are good steps but still don’t get you there. For example, you must employ your own Data Protection Officer (DPO) under certain circumstances and if you take the smart decision and designate an existing employee as your own in-house DPO then they have to report to the board and also be the person to inform the Information Commissioner’s Office if you’ve broken the law. Not sure I’d like that role.
5. Shake Up Technology and Training.
Aside from the obvious data flow mapping as a personal data cradle to grave lifecycle document, employees need to know the seriousness of this law and what their role is in protecting your organisation. It will be worth putting your systems to the test as well by simulating a data breach; who reports what to whom about what happened on what system and why, and can you report it fully with a remediation plan in place within the 72 hours stipulated (that’s 72 hours from the moment of discovery too no matter what time of night or weekend – the stop clock is on!).
This is by no means comprehensive and not meant to be as there are 173 Recitals and 99 Articles of the regulation to understand and comply with. There are people that can help you although the letters GDP & R have become the latest “buzz” acronym for marketers to push products and services that will fulfill one piece of a business’s compliance puzzle, I’m yet to see any one technology able to get you there.
Make sure your consultant is an IBITGQ accredited EU GDPR. That means they are a registered and qualified practitioner for GDPR compliance advice & implementation. Of course, they still may not have the right approach. Traditional technical, tick box consultancy is no longer adequate; this is a Business issue and not just technical and will take a higher level of diplomatic interpersonal skills than is currently on the market in the main.
We’ve teamed with the brightest star in the GDPR field, Cybercrowd. If you don’t believe me then let me set you up a call with them. They have dissolved the illusion of complexity which even the most junior can understand. This is just my learned opinion but let’s take sales out of this, they are working with us now for our own compliance and we will depend on having the best to be leaders in this market. We drink our own Champagne as it were.
If you want more on this subject, then let me know and I will also be posting more about this over the coming months.