What is GDPR?
GDPR comes into effect on 25 May 2018 and introduces new obligations for any organisation that handles data about EU citizens regardless of location.
It will place a stricter emphasis on businesses to demonstrate they are managing and protecting personal data alongside introducing data breach notification into European law for the first time.
What does it mean for your business?
Top tips for your business:
It’s about good admin
Make sure you can document the full process of data from the initial consent, through to where it is stored and how it is analysed and used in your business.
Build the right toolkit
Review which standards you already have in place, such as PCI DSS, COA, or ISO27001. These will be a good starting point and the accredited organisation should provide a framework for you to map your current processes against GDPR compliance.
Privacy by design and by default has a concept of minimisation at its core. This is that only the minimum amount of data is held to complete the task at hand. So, the first activity should be to
Highlight examples of where the processing of personal data or archived data is unnecessary and delete it. For example, home IP addresses in your web stats or individual names in market research data. Data erasure is a key tool here, ensure you are disposing of data securely and ethically. [Link to data service page]
Control and audit user access
Keep a tight control on user profiles for systems which can access personal data within your business. Ensure you have an update to date record of log in information as compromising user accounts is one way cyber criminals can gain access to your data. Consider setting up a single sign in system where you have staff accessing multiple systems.
Have the systems in place to detect if you suffer a breach
Make sure you have the right level of Anti-Virus and Anti Malware in place to protect you against a breach. However, with the landscape of cybercrime always changing a breach is never impossible, so ensure you have the correct procedures and systems in place to identify and highlight unusual activity in your systems.
With the enforcement date of 25 May 2018 looming, now is the time to start reviewing your processes and systems to ensure you are complaint!