5 Steps on the Journey to GDPR Compliance
There are still a vast number of organizations that have not taken the necessary steps to ensure GDPR (General Data Protection Regulation) compliance? The problem surrounding GDPR compliance is that it’s thought of as being just an ‘IT issue’. Lots of businesses seem to either have an inflated sense of confidence around how they already handle data, or they’re shrugging it off as someone else’s problem – which is to miss the point entirely. Compliance with the GDPR, in terms of both preparation and maintenance, should be a company-wide effort. Not least because companies who are found to be non-compliant could face hefty fines that would affect everyone.
And if the stipulations of the GDPR seem significant, it’s because they are. We’ve not had any updates to data protection laws since 1995 and things have changed a lot since then. The way businesses collected and stored personal data back then is no doubt very different to the way they do it in 2018.
When you put it like that, the GDPR seems pretty overdue. Today’s organisations should be welcoming it as an opportunity to update their whole relationship with data protection and make it fit for the future. To implement a methodology that’s built into the fabric of the organisation – not an afterthought or just something for IT to deal with.
The way we see it, there’s a very simple way to frame your approach to GDPR compliance. The five steps detailed below is the process we at Veeam went through to prepare. Now, we’re sharing it with you, in the hope that you’ll be able to complete your journey to compliance.
Knowing your data
If you’re a business that has or holds data on EU citizens, formally known as Personally Identifiable Information (PII), then the GDPR applies to you. That means you’re liable to penalty fines if you’re found to be non-compliant after the deadline of 25 May 2018 which has now passed. The best starting point, then, is simply knowing whether you hold this kind of data or not, and if you do, where it’s kept. Creating a visual map of all the data you hold will help you to build a comprehensive picture and get better oversight of this.
A lack of knowledge around the kind of data they hold may be another reason why so many businesses don’t seem to be taking much notice of the GDPR – or just don’t think it applies to them. It could be that they don’t believe they hold any relevant data (hint: if you employ EU citizens, you do), or don’t realise the breadth and scope of the data they do hold (hint: personal data is more than just names and addresses). Which is precisely why just knowing your data is the first step on your journey to compliance.
Managing your data
Once you’ve built up a picture of all the relevant data you collect and hold, it’s time to look at who has access to it and how it’s being used. Different teams and departments in your business will be accessing the same data in different ways and will be using it for varying purposes. Whether it’s a marketing team inputting data on prospective customers and sharing it with the sales team, or a HR team handling data on its own employees, it’s essential that you implement standardised procedures and workflows around the handling of personal data, and that employees only have access when it’s necessary to their business function. Managing your data is about having visibility of the way data lives and breathes in your organisation – even if that’s not in-house. Your GDPR compliance also depends on the compliance of any third-party vendors or providers you work with, so the onus is on you to make sure they’re abiding by the rules. No turning a blind eye to data management once it’s out of your own business’ hands.
Protecting your data
Having gained better oversight of your data and implemented standardised processes to manage it, it’s time to make sure the right security controls are in place to protect the data – but that doesn’t just mean encryption. To be compliant you can’t simply turn security ‘on’ and put your feet up; the GDPR requires constant monitoring and diligence, and also much quicker action in the event of a data breach.
It’s true that technology will play an important part in that journey, but technology alone will not bring about compliance. Rolling out a new company-wide approach to data protection requires a combination of security techniques, standardised workflows, internal education, access control, backup solutions, and much more besides. Keeping on top of who has access, where and when, with constant auditing and monitoring will enable much swifter responses to the data breaches that, despite everyone’s best efforts, are probably still inevitable.
Documenting and complying
One of the GDPR’s hottest topics is the introduction of data requests, which means an individual will have the right to request the correction or deletion of the data held about them. Businesses will be expected to comply with these requests and show that they’ve done so, which is why visibility over what data you hold – and where – is so crucial.
Ongoing compliance with the GDPR also requires the documenting and auditing of what data you’re collecting, what it’s being used for and how long you’ll be storing it for. When we went through this step, we asked ourselves questions like: Is the data we collected months ago still relevant today? Do we still have visibility of data when it’s moved from one place to another? Are our third-party providers still compliant?
One of the benefits of constantly monitoring and auditing your data protection processes is the opportunity to constantly review and improve them. It’s true that the GDPR is something of a line in the sand, but as the digital world we live in constantly evolves and expands, it’s safe to assume that responsibilities around data privacy and protection will also continue to increase – so businesses will need to continually improve to keep compliant.
The GDPR should be seen by businesses as an opportunity to rethink their entire approach to data protection, now and moving forward. It’s a chance to make their organisations fit for the future – and they should grab it with both hands. We learnt a lot about our business and our data in becoming GDPR compliant. We hope our story now helps you.