Evolving Data Security and Privacy Policies for GDPR Compliance
Here we are, 6 months on from the May 25th deadline and what now for GDPR? If you are reading that sentence and thinking to yourself “GDPR? — that ship has sailed” then I urge you to read on.
GDPR is Still Important
GDPR represents a sea of change in data privacy legislation; redefining the relationship and balance of power between businesses and consumers when it comes to the collection, manipulation and retaining of personal data. No longer do consumers have to blindly trade their personal data in exchange for services.
GDPR sets restrictions on how personal data may be used. It demands that organisations communicate clearly and honestly with customers about the use of their personal data. GDPR also gives consumers the power to meaningfully control their data and seek redress when it is misused.
Notice how I use the present tense?
GDPR is here to stay, it is the new normal. A fact which, I fear, may have passed many businesses by — lost in amongst the frenetic activity, eager anticipation and intense speculation surrounding its introduction. Now the deadline has passed, privacy policies have been updated and the staff awareness training has been delivered, it is easy to believe the job has been done. Right?
On the contrary, this is only the start. GDPR compliance isn’t a one off destination — somewhere you reach, park up and get comfortable; it’s a continual journey. Let’s remind ourselves that the GDPR legislation only sets the requirements to which businesses must comply. It does not define the internal processes necessary to support this compliance. Nor does it help you identify how your current processes might change in the future and the impact of this on your compliance. Regardless of whether you had a little or a lot to do to be GDPR ready for May, what shape are you in for being GDPR compliant in 12 months, 2 years, or 5 years’ time?
So, 6 months on, now is the time to take stock of what has been achieved; identify any planned work that is left to do. It is also the time to look inward and consider if you are able to remain compliant in the future and through changes to your business. The new GDPR challenge for us all is maintenance.
Here are some useful tips which will help you ensure your approach to GDPR compliance remains fit for purpose over time.
Review and Re-evaluate
Whatever actions you have taken on your road to GDPR, be sure to repeat them on a regular basis. Many of you will have carried out an initial gap analysis and data audit in order to shape your GDPR response. Keep in mind that these will need to be repeated at an appropriate interval and ensure you have the resources in place to carry it out. Technologies, systems, suppliers and even the nature of a business can change and evolve over time which could see you moving into previously unidentified and unfamiliar GDPR waters.
Just because you’re not a data processor today, doesn’t mean you can’t be tomorrow. Taking the time to reassess is an important step, which if ignored could see you exposed. The same goes for all relevant policies and procedures. It would be a mistake to see these as set in stone, they should, in fact, change in line with your business else they become inaccurate and outdated. For all GDPR related actions and materials draw up a review schedule to ensure the content and your compliance remains accurate and reliable.
Don’t Assume — Check
The best way to illustrate this point is with an example. GDPR requires that you as an organisation respect and respond to a data subject’s right to see the data you have on them, aka a Subject Access Request. You might have taken the time to document an internal policy and process on this. Is that enough? No! Don’t assume blindly that the process you have put together actually works in a real life situation — test it! Should you receive a SAR, are your staff well-trained enough to recognise it and then apply the relevant process? Does the process include enough detail to guide your investigations and assembling of relevant data? Such practice is important to ensure efficiency of processes and avoid unexpected problems when time is really against you.
Go Beyond Simple Compliance
Like most information security professionals, I’ve done my fair share of ranting and raving about GDPR. At times it has felt like my personal Everest. For compliance to stick, it’s time to move into a position of acceptance. Let’s remember, the intent of GDPR isn’t about making life complicated. It’s also about making legislation fit for purpose in line with our online-centric, technology-focused world. GDPR recognises the growth in the volume digital information we create, its inherent value and thus the need for protection. It is time for businesses to understand this too.
The intent of GDPR isn’t about making life complicated, it’s about making legislation fit for purpose in line with our evolving online-centric, technology-focused world; so our policies must evolve too.
The best way to achieve this is through seeing the bigger picture and embracing data security as a legitimate business priority. Ask yourself this, which usually has the better outcome, doing something because you have to or doing something because you want to? I have already written in another blog about techniques for creating a positive culture towards data security and they can all be applied here.
The original version of this article appeared on the FlexMR Insight Blog and can be accessed here.