Getting started with GDPR…
It seems we can’t even go a week without a new security vulnerability hitting the news, or a Company being hacked and losing personal data. This problem has gone on for years and Companies have been allowed to hoover up personal data unchallenged.
Come May 2018 it’s all change. The General Data Protection Regulation (GDPR) comes in to effect and will give EU residents more control over their personal data, regardless of where the organisation is located in the world. In short, if you are handling personal data belonging to an EU resident, GDPR applies to you.
Last year we published a Top 10 FAQ on GDPR, however since then the number one question we are now being asked is simply, where do I begin?
The good news is that this page is going to answer that for you, we have also opened up the page to comments where you can post your questions and we will answer them for you!
The first thing you need to do is identify all the personal data that you are storing within the Company.
The best method of doing this is to start off by listing all the applications that your company is using, it’s good practice to list everything and rule them out afterwards, rather than miss something off the list that might cause you pain later on in the process. Once done consider what data is being processed by the application, for GDPR we are only interested in personal data, so click here to see a list of the things you want to identify.
Remember when listing the applications to make sure you include all of your Cloud based applications, Dropbox, OneDrive, any CRM tools etc… Keep in mind that just because your data is hosted in the Cloud, you are still responsible. So if Dropbox gets hacked, you are liable.
Once you have completed this exercise for your applications, repeat the process for all of your File servers and network shares. You might also want to include those users and devices who process data locally, such as the HR team.
The first step is to create a Written Policy; this will detail how personal data is to be handled within your Company. You will also be able define data retention periods and rules that govern your employees, this will prove very useful in the months ahead and will play a pivotal role when it comes to feeding back in to your employee training programmes.
When writing your Policy, keep in mind EU residents rights and what it would mean to your Company if you were to have a data disclosure. If you are storing data on EU residents and you really don’t need it then this is the time to get rid of it once and for all.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Many Companies that we have worked with have also introduced a data classification policy and have detailed what rules apply to specific data, for example CLASSIFICATION 3: RESTRICTED – This data may not be shared externally, or copied to any portable media including memory sticks.
Protecting your systems will vary from Company to Company and there are many things to consider. At a minimum Companies should be looking at the following technology:
- Data encryption (transmission and at rest) – Ensure that data is encrypted even if stolen.
- Advanced Threat Analytics – Understand when users are logging in to the network and what they are doing, abnormal patterns are detected. How do you know if one of your employees is stealing your data prior to leaving the Company?
- Data Loss Prevention – Automatically tagging new data in accordance with your Company policy (Step 2 – Manage)
- System Patching and Health Monitoring – Ensure that systems are healthy and fully patched at all times.
The GDPR requires Companies to report data breaches in certain circumstances within 72 hours of detection, along with notifications to individuals. For this stage you will need to appoint an internal employee as the Data Protection Officer (DPO) or appoint a virtual one who will be responsible for reviewing system logs and educating the staff whenever a breach occurs or is prevented.
We hope this article has been useful, next week we will be publishing a list of Microsoft Products and Tools that can assist you in every phase of your project to ensure GDPR compliance. In the meantime, if you have any questions feel free to post below and we will get back to you ASAP!