As the EU General Data Protection Regulation (GDPR) compliance deadline nears, it is increasingly apparent that a significant number of organisations won’t be ready in time. Although everyone should be aiming to meet the 25 May 2018 deadline, it’s not the end of the world if you don’t. After all, you can continue to put measures in place after this date.
Nonetheless, it’s essential that organisations that aren’t yet compliant take action as soon as possible. Failure to do so will lead to growing criticism and a greater risk of disciplinary action. Supervisory authorities will almost certainly be more lenient with organisations that can show they are in the process of complying.
What you need to do
There are myriad steps to GDPR compliance, and it would be impossible to list them all here. However, compliance generally boils down to two main themes. First, the Regulation strengthens EU residents’ rights concerning their personal data, meaning organisations need to take greater steps to accommodate individuals. This includes collecting as little information as possible, letting individuals know why data is being used and permitting them to access it or request that it be amended or erased.
Second, the Regulation mandates that organisations take steps to mitigate the risk of data breaches and respond appropriately if they are breached. This involves both organisational and technological measures. For example, organisations need to conduct data protection impact assessments (DPIAs) when introducing new processes, systems and technology, and certain organisations need to appoint a data protection officer (DPO) to oversee GDPR compliance. Organisations also need to pseudonymise and/or encrypt personal data and conduct regular penetration tests.
Read more about the GDPR’s compliance requirements:
- Where to start with GDPR compliance
- The GDPR: A guide for small businesses
- GDPR compliance for professional services firms: time to get on track
- What is ‘privacy by design’?
- Essential guidance on achieving and prioritising GDPR compliance
This is only the beginning
Preparing for the GDPR is only the first step. Organisations then need to make sure everything is working as it should. The possibility of procedural oversights or technological failures should be a major concern, so frequent reviews of compliance processes are essential. However, an even bigger risk is employees who don’t follow policies. Employees are the ones collecting and processing personal data, and it only takes one falling short of the GDPR’s requirements for the whole organisation to be at risk of disciplinary action.
Organisations can address this problem by encouraging behavioural and cultural shifts in the workplace. Employee negligence is the root cause of many data breaches, so they need to be aware of their data protection obligations. Staff awareness courses and an added emphasis on security will help, but to mitigate the problem fully, organisations should commit to an in-depth review of their cyber security posture.
Our Cyber Security Audit and Review helps you do just that, delivering an independent assessment of your organisation’s compliance with a host of regulations and best practices, from the UK government’s security policy framework to ISO 27001.
You will receive consultancy support in a number of areas, including:
- Verifying that information processes meet the security criteria, requirements or policy, standards and procedures;
- Defining and implementing processes and techniques to ensure ongoing conformance to security policies, standards, and legal and regulatory requirements;
- Carrying out security compliance audits in accordance with an appropriate methodology, standard or framework;
- Providing impartial assessment and audit reports covering security compliance audits, investigations and information risk management;
- Recommending responses to audit findings and appropriate corrective actions; and
- Objectively assessing the maturity of an existing information auditing function using cross-government benchmark standards.