How to manage your business data under the new GDPR

What is GDPR?

GDPR comes into effect on 25 May 2018 and introduces new obligations for any organisation that handles data about EU citizens regardless of location.

It will place a stricter emphasis on businesses to demonstrate they are managing and protecting personal data alongside introducing data breach notification into European law for the first time.

What does it mean for your business?

• All businesses will need to comply to these regulations, so you cannot avoid it
• From now all, pretty much all personal data will now fall under GDPR, including anything that can be used to identify an individual.
• It will affect the way you obtain consent to use personal data – including for your marketing
• If you are a public authority or a business which core business means you undertake “regular and systematic monitoring of data subjects on a large scale” you will be required to appoint a DPO (Data Protection Officer).
• You will now need to undertake mandatory Privacy Impact Assessments (like a data risk assessment) before undertaking a data project
• You will now be required to notify your Data Protection Authority if you suffer a data breach within 72 hours of finding it
• GDPR introduces the right to be forgotten, which you must delete all data if the data subject request you do so
• Data liability is extending beyond data controllers, so even if you are a service provider which processes data, you are now liable.
• Privacy will need to be included in systems and processes by design, including the ability to capability to completely erase data
• GDPR will allow any Data Protection Authority to take action against an organisation regardless of location. This will create a far more level playing field in comparison to today where companies choose to base their data where the Data Protection Authority may be more lenient.

Top tips for your business:

It’s about good admin
Make sure you can document the full process of data from the initial consent, through to where it is stored and how it is analysed and used in your business.

Build the right toolkit
Review which standards you already have in place, such as PCI DSS, COA, or ISO27001. These will be a good starting point and the accredited organisation should provide a framework for you to map your current processes against GDPR compliance.

Privacy by design and by default has a concept of minimisation at its core. This is that only the minimum amount of data is held to complete the task at hand. So, the first activity should be to

Highlight examples of where the processing of personal data or archived data is unnecessary and delete it. For example, home IP addresses in your web stats or individual names in market research data. Data erasure is a key tool here, ensure you are disposing of data securely and ethically. [Link to data service page]

Control and audit user access

Keep a tight control on user profiles for systems which can access personal data within your business. Ensure you have an update to date record of log in information as compromising user accounts is one way cyber criminals can gain access to your data. Consider setting up a single sign in system where you have staff accessing multiple systems.

Have the systems in place to detect if you suffer a breach

Make sure you have the right level of Anti-Virus and Anti Malware in place to protect you against a breach. However, with the landscape of cybercrime always changing a breach is never impossible, so ensure you have the correct procedures and systems in place to identify and highlight unusual activity in your systems.

With the enforcement date of 25 May 2018 looming, now is the time to start reviewing your processes and systems to ensure you are complaint!