Ben Brothwell
Security Practice Lead
7 June 2017
Comply to IT: staying out of trouble in the GDPR age
May 2018 will see the EU’s General Data Protection Regulation (GDPR) come into force – requiring all UK organisations to protect personal data on EU citizens, on pain of large financial penalties. The new law differs significantly from existing DPA legislation, and achieving compliance will not be a simple formality for most companies.
If you’ve read my previous blogs (here and here), you may recall that Northdoor splits the GDPR-adoption process into three chunks: “Find IT”, “Classify IT” and “Comply to IT”. As their names suggest, the first two stages are all about discovering what personal data you hold and then classifying it based on how the new law impacts it. (We also suggest you encrypt all data as soon as possible.)
The third stage – Comply to IT – is all about setting up and managing the organisational structures around people, processes and technology that will ensure ongoing compliance. As a starting point, you should be taking care to document all actions, decisions and policies around personal data to help you comply with GDPR’s accountability requirements.
Your organisation may already be required to inform the ICO of any personal data breaches. Under GDPR, breach notification will apply to all organisations – so you need to make sure you have the right procedures in place to detect, investigate and report on these events. Failing to meet the set deadline for a breach notification will add further financial penalties on top of any fines levied for the breach itself.
A 2015 study found that 87% of security spend goes on the network perimeter, but that 86% of breaches originate inside the firewall – making it vital to build an internal culture of “privacy by design”.
Under GDPR, this will be an explicit legal requirement, so internal policies need to take into account the organisation as a whole, from top to bottom.
Detailed guidelines are available from the ICO on how Privacy Impact Assessments (PIAs) can link to organisation processes such as risk management, and all companies will need to consider when and how data PIAs should be run.
The key point here is to appreciate the far-reaching implications of GDPR, and to make sure that your organisation understands that it’s not simply a box-checking activity for database managers. For help on understanding what GDPR could mean for your organisation, and practical tips on starting the journey to compliance, please contact Northdoor for an informal assessment, or read our quick-start paper.