- Security TWENTY
- Women in Security Awards
GDPR is not over yet, writes Rob Perry, vice president of product marketing at tech firm ASG Technologies.
Preparing for GDPR (the General Data Protection regulation, EU-wide) has been a time-consuming, costly and resource-heavy process. Given the effort involved, trying to maintain the same pace to keep up with compliance could leave organisations severely drained.
It is vital, therefore, to find a way to make compliance sustainable by ensuring it is as easy and as resource-light as possible. The answer is to identify manual tasks and replace them with an automated approach, while at the same time establishing a series of best practices that will become second nature to all involved.
A good way to start is to bring together all documents covering data, such as records of processing activities and legal aspects of GDPR and processes. This will form the base from which the business can implement controls and processes before embedding in the Governance, Risk Management and Compliance Management (GRC), IT security and organisational processes. This will take time, but businesses should see it as an investment and a sound foundation that will pave the way for easy and efficient implementation of all other aspects of continued compliance.
This will be the beginning of implementing best practices – the key to ongoing compliance without spending so much time and money that it becomes a burden to the business. Some businesses may be required by the regulations to appoint a Data Protection Officer (DPO) who will review materials from the national regulatory body and the European Data Protection Board, ensuring they have a solid grasp on what is expected and how it can be applied to the business. They will make sure all the right consents are in place, close any gaps and certify data processing agreements. From here they can help build the Article 30 record of processing activities – a task that can’t be ignored for continued compliance.
Regular training updates, whether through online courses or formal in-house classes are essential to ensure employees recognise the need for data protection and the penalties for non-compliance. It’s important to avoid a box-ticking mentality, but rather ensure all employees see the wider picture and how a breach could impact the company.
The concept – “data protection by design and by default” is a specific mandate of the GDRP. Once this has been achieved it will be possible to determine which processes can be automated. Automation can greatly simplify data processes and increase reliability, with the right solution capable of interacting with all other enterprise systems and applications to access and manipulate data quickly.
Automation will be key to maintaining compliance over time as it will allow technology to take the lead in areas such as data discovery and the classification and identification of personal data. Automating these processes will not only save huge amounts of time and remove the element of human error, but will also make it possible to implement standard workflows for processes so that when errors and privacy issues occur they can be automatically flagged, managed and rectified.
Businesses have just 72 hours once they have become aware of a data breach in which to gather all relevant information and report the incident to the regulator. Automation can accelerate this reporting process by quickly locating impacted data and affected groups of people and help avoid subsequent fines.
For continued compliance, a business must also ensure that their processes are robust enough to be followed in the long term. More data breaches have been caused by papers being left lying around or data in spreadsheets getting lost than by cyber attacks. According to the UK Independent Commissioner’s Office (ICO), in the health sector alone, the loss or theft of paperwork was the second most common reason for data breaches in the last year, behind data being faced or posted to the incorrect recipient. The risk of these incidences of human error in terms of the GDPR are particularly high with potential costly repercussions, highlighting how pressing it is for a business to adopt sustainable processes.
Seeing GDPR as an opportunity rather than a burden could open up new possibilities. The information gathered for compliance makes it possible to map out all consents, as well as where data is being used without consent, which could identify new understanding of your data assets. GDPR also has the potential to reduce data management costs as it facilitates the identification of redundant data. Activities from compliance could even be applied to other parts of a business and support its digital journey.
GDPR is still new and many are still debating what it entails. However, the need for data protection is hardly going to weaken or leave us entirely. There is no alternative but to see GDPR as a permanent reality and find a way to make compliance less costly and more sustainable.