Last week, the GDPR (General Data Protection Regulation) turned one year old. Whether the panic and stress that accompanied the compliance deadline feels like a distant memory or still gives you nightmares, your data protection and privacy posture is something that shouldn’t be in your rear-view mirror.
GDPR compliance is an ongoing process and should be embedded by design in your data protection practices. If you haven’t been keeping a close eye on your regulatory requirements in the past year, here are some important steps you should take.
Tailor your defences to the threats you face
The GDPR is as broad as possible when it comes to the security measures that organisations should implement.
There are several reasons for this, the first of which is that every organisation is different and has its own vulnerabilities. What’s essential for one organisation might be irrelevant for another. Likewise, one organisation’s idea of efficient might be another’s idea of impractical.
The second reason the GDPR’s security requirements are broad is that the threat landscape changes over time. As organisational processes and the way cyber criminals operate develop, new vulnerabilities emerge. You therefore can’t stick rigidly to a certain set of defence mechanisms, as they might become irrelevant over time.
Similarly, business processes become more efficient and security best practice changes as new technology becomes available.
So, how can you stay safe while balancing all of these concerns?
Perform data protection impact assessments
DPIAs (data protection impact assessments) are a type of risk assessment that identify threats related to personal data.
They identify specific scenarios that can affect various business activities, and analyse how damaging those scenarios will be and how likely they are to occur.
Documenting this gives you a true reflection of your security posture and helps you prioritise which defences you should implement.
DPIAs should be conducted at least once a year or whenever you make substantial organisational changes. This enables you to stay on top of the risks you face and review the best ways of mitigating them.
A thorough risk assessment isn’t enough
You can’t assume that the controls you’ve implemented as a result of your risk assessment will cover every compliance requirement – not least because many of the GDPR’s requirements, such as those concerning data subjects’ rights, aren’t related to risks at all.
To make sure you’ve addressed every necessary requirement, you should:
Conduct a gap analysis
A GDPR gap analysis involves breaking down the Regulation into a long list of requirements and reviewing your compliance status. It could be a simple tick-box exercise, with the unchecked steps forming the gaps that need to be addressed.
Alternatively, you could take a more in-depth approach, stating the various stages of compliance. For example, you could note whether:
- You haven’t done anything to address compliance;
- You have a plan for addressing the requirement but haven’t got around to it yet;
- The requirement has been implemented but hasn’t yet been reviewed; or
- The requirement has been implemented and is regularly reviewed.
GDPR gap analyses are difficult to complete, because you need to be not only familiar with Regulation but also capable of determining whether the organisation has interpreted its requirements correctly.
We therefore recommend that you seek expert guidance when conducting a gap analysis. You could hire someone to help complete the process for you, but there are more cost-effective ways to get the necessary guidance.
Everyone must know their rights and responsibilities
As mentioned above, GDPR compliance is as much about protecting data subjects’ rights as preventing security incidents. Organisations must also:
Write a privacy notice
A privacy notice is a document that organisations give to individuals to describes the way their personal data is being collected and used. It has two aims: to promote transparency and to give individuals more control over the way their data is used.
Transparency is a key principle of the GDPR, as it ensures that personal data isn’t used without an individual’s knowledge or against their will. Organisations must therefore explain in simple terms what data they’re collecting, why they need it, what it’s being used for and whether any third parties will have access to the data.
Providing this information helps individuals understand their rights and how they can be exercised.
Write a data protection policy
A data protection policy is an internal document that explains the GDPR’s requirements to employees.
It states the organisation’s commitment to compliance but doesn’t need to describe the practical steps that need to be taken to meet the GDPR’s requirements; this will be covered in your procedures.
The data protection policy is designed to familiarise employees with their obligations, many of which relate to data subjects’ rights.
Future-proof your organisation
Organisations looking for help completing these steps should consider our GDPR Compliance Solution – By Design and By Default bundle.
This all-in-one solution contains a variety of tools – from training courses to risk assessment software – to help you achieve and maintain compliance.