By Richard Jefferies
Insurance Sector Client Manager
With 25th May now passed and GDPR “implemented” – what next? For some companies, it is still a case of where to start? For most companies, it is a time to keep working away at the gaps to compliance and keep an eye on the news feeds for any headline-grabbing data breaches and associated fines that will be a barometer of just how serious this is.
Northdoor is realigning its GDPR services into a post-25th May business environment, based on what our clients are seeking: assurance, credibility and ongoing compliance. Most companies have invested heavily in getting their GDPR programmes in place and now wish to be certain they are effectively delivering the programme and can meet ICO compliance requirements on a consistent basis.
We’ve called it “industrialisation”. Companies put plans and frameworks in place to meet the deadline but now need to automate/industrialise their processes and are exploiring technology to enable this.
The hot topic technologies we are seeing clients adopting e.g. for subject access requests (SARs), focus on data discovery, classification and masking and also 3rd party compliance. We are seeing even a small number of SARs effectively break manual processes, so technology is needed to increase not only the pace but also the accuracy of addressing SARs.
We took our own medicine too, using one of the powerful data discovery tools we provide for our clients on our own company systems to quickly uncover a very surprising volume and variety of sensitive data, which has now been suitably classified, masked and where appropriate removed.
Another manual process that quickly absorbs large amounts of time and resource is assessing 3rd party compliance. You create a questionnaire-based checklist for GDPR compliance that you send out to your suppliers, partners, etc. You chase them up to fill them out. You chase them up again. You receive questionnaire-based checklists for GDPR compliance from your partners, etc. (all different but essentially the same) and are chased to fill them out. The task is then to assess, score all of the spreadsheets against compliance and then flag areas to address. How long do you then leave it before you should re-assess, as things change?
As the impacts of GDPR compliance become more real and tangible, it does look like technology now is playing a key role for effective and efficient compliance.