There’s a lot being written about GDPR (general data protection regulation), and in some sectors it seems to be causing panic. But there is no need to panic, writes Emma Butler, of the digital identity app Yoti.
GDPR builds on the current data protection law, so if you’re compliant with that, you shouldn’t have too much to do to get ready for GDPR. The main difference with GDPR is that it requires a holistic approach to privacy and to embed it into policy, processes, systems, technology and culture and to make it ‘business as usual’. As such, it presents an opportunity for better information governance.
Good information governance is more than a compliance tick-box exercise, it reduces risk, focuses and prioritises company efforts and demonstrates to shareholders and consumers that the company takes privacy and security seriously. It increases trust and enhances the brand, especially in an age of one breach after another in the news. In some ways GDPR means privacy is catching up with security, which has been an integral part of any business for some time. Typically security is afforded more time at board level and more budget. And typically privacy and security are seen as separate functions. GDPR presents an opportunity for them to come together, pool their expertise and resources and achieve better information governance for the company.
In certain companies, security and / or IT have been handed the GDPR project to lead, in others they are one of the many stakeholders contributing as relevant. The main focus for security has largely been on the data mapping or data inventory element; security measures; and breach notification.
Data mapping can be a challenge, especially for large companies and those with many legacy systems. However, having a holistic view of what information you have as a business allows both security and privacy to get on with their respective roles to protect that information, ensure and track compliance, introduce efficiencies and respond to requests for actual information, or stats on information, whether from the board, the business operations or consumers.
You may find that any streamlining you do, such as to consolidate marketing databases, could save you money; and you may even be able to develop new product lines once you understand what information you have. Becoming more user-centric also tends to lead to better products and greater trust. So there is an opportunity for security to add real value to the business by playing their part in GDPR planning and implementation.
The data mapping is also a foundation for so many other aspects of GDPR. For example, once you know what data you have and where it is, you can focus on what security measures are in place and where you have gaps, or where you can improve. You can assess whether you can introduce encryption, or de-identify / aggregate data, all suggested by GDPR as risk-reducing measures. Data minimisation is a key principle and obligation. So your data mapping helps you assess where you can get rid of data, and make sure retention schedules are being complied with. Once you know what you’re doing with the data, the legal and compliance teams can determine what lawful basis you’re using. Once they know that, they know which rights apply to which data, and can start looking at how to comply with those rights. In some cases, you might need new technology, systems or processes to deal with the rights.
GDPR also requires a privacy risk assessment when personal data is involved and documented evidence of assessments, decisions and implementation solutions. A typical example of a business request is for a particular function to access certain information held in the business. Usually the assumption is that all staff need all data and it’s as simple as getting IT to flick a switch. By working together, privacy and security can assess all the risks of the request, consider technical implementation and consider how to get to the end game in a way that makes everyone happy. And that leads to documented evidence of a risk assessment, with both privacy and security requirements built into the solution. Done right, you’ll have met not only a multitude of GDPR requirements, but probably many of your own KPIs as well!
Often these are reactive scenarios, but a more holistic approach would look at the bigger picture of things like how access is determined, managed and kept up to date; how it connects to the new starter and leaver process; how staff go about asking for and getting access to data, and how that process is managed, documented and approved. Getting these things right from both a privacy and security perspective is crucial to avoid constantly being in reactive, fire-fighting mode.
Ultimately, you can use good information governance and a solid GDPR project plan as a competitive advantage, as part of your values as a company. GDPR is a real opportunity to take a step back, look at how you approach privacy and information governance, consider if it’s the right approach, and do it better. GDPR can be a hard sell, as on first look it seems to just be a longer list of more onerous things you have to do to avoid a fine. However, an enlightened company will see instead the chance to embed privacy and security at the core of its operations, use it as a competitive advantage and increase trust in its brand. It’s time to move away from seeing privacy and security as compliance cost centres, and to seeing it as the way to make sure everyone wins.
