The data breaches that continue to make the headlines show the importance of data protection and laws like the GDPR (General Data Protection Regulation).
If you’re only beginning to look at compliance, the Regulation may seem overwhelming.
The good news is that many of the GDPR requirements reflect efficient business activities or practices – things that’ll help you as an organisation irrespective of compliance.
This blog explains further, as we take you through eight steps towards becoming compliant with the GDPR and similar data protection laws.
In this blog
- Secure management buy-in
- Identify what personal data you hold
- Identify your processing activities
- Identify your purposes for processing
- Eliminate inefficiencies
- Conduct a risk assessment
- Conduct a DPIA (data protection impact assessment)
- Implement appropriate technical and organisational measures
1. Secure management buy-in
Board or senior management support is a prerequisite to successfully introducing cultural change to the organisation.
This doesn’t just ensure the project will be sufficiently resourced, but also ensures improved cooperation. Don’t forget: While someone will be in charge of the overall project – the data protection lead – that person isn’t responsible for ‘doing’ compliance themselves. Rather, they guide others through the necessary activities, and are responsible for maintaining compliance.
But to get such cooperation, and see as little resistance to change as possible, managers must support these changes.
2. Identify what personal data you hold
Contrary to common belief, the GDPR isn’t prescriptive.
The Regulation doesn’t list specific actions every organisation within scope must take. Rather, it takes a principles- and risk-based approach. Organisations that process less personal data, or less sensitive data, require less rigorous measures than entities that process lots of highly sensitive data.
But to determine what’s appropriate for your organisation, you must first identify exactly what personal data you’re collecting and holding.
To make life easier, take it one department at a time, preferably starting with HR and other highly regulated teams. Data protection leads may also want to look at higher-risk departments before lower-risk teams, as well as take into account which teams are more receptive to becoming compliant.
You may well find that as you get a few teams on board, and they start to experience the day-to-day benefits of compliance, the remaining teams become more cooperative too.
3. Identify your processing activities
Once you’ve identified what personal data you collect and process, you can identify the processing activities for which you’re using that data.
You could think of this as creating your ‘data inventory’, which you can later use as the basis for your Article 30 ROPAs (records of processing activities). Make sure you specifically identify what data is used for what processing activities. This will highlight data you might be collecting but not using, or that doesn’t need to be used to fulfil the purpose of a given activity (raising issues around lawfulness).
This isn’t just to meet key GDPR principles like data minimisation and purpose limitation, but also minimises the risk to your organisation.
4. Identify your purposes for processing
The GDPR demands that personal data be processed lawfully.
That means you must be able to rely on one of six lawful bases to process the data:
- Contractual obligation
- Legal obligation
- Vital interests
- Public interest
- Legitimate interests
- Consent
If you can’t point to one of these purposes for a processing activity, that doesn’t simply make the processing unlawful – it strongly suggests the data isn’t serving a business purpose, either.
If you can’t explain why you’re collecting the data – and “just in case” isn’t a good reason – you should probably destroy that data.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
5. Eliminate inefficiencies
Besides uncovering data you don’t need, you may identify other inefficiencies, too:
- Duplicated work/processes
- A process that could be done in another way (simpler, cheaper, faster, etc.)
- Data that’s not properly secured
Addressing such matters makes it easier to manage your risks, and improves data governance and accountability. People will take ownership and responsibility for their roles, and communicate better.
As an organisation, you’ll also be more confident and create a better culture.
6. Conduct a risk assessment
Now that your business processes are more settled, it’s time to look at your risks.
In spite of the general rewards that come from achieving GDPR compliance, most organisations pursue it – in the first instance – to mitigate their risks. Specifically, those of data breaches and enforcement action.
We’ve previously interviewed our head of GRC consultancy, Damian Garcia, about where to start with risk management, how to mitigate risks, and how to select effective security controls.
Some of his top tips include:
- Make sure you clearly define what constitutes a ‘high’, ‘medium’ or ‘low’ risk. Establish a common vocabulary to make sure everyone is using the same words to mean the same thing.
- Remember that you don’t have to eliminate a risk – just bring the risk level down to an acceptable level.
- To achieve this, you can choose from four broad risk responses: modify, share, retain and avoid.
- Of these, ‘modify’ – i.e. implementing a control – is the most common response. When choosing your measures, be sure to ask ‘why’. What benefit does that control have, and does it outweigh its cost?
- Should you choose to ‘share’ a risk, remember that outsourcing a risk doesn’t equate to getting rid of that risk. Damian gave more specific tips on mitigating the risks around outsourcing here.
7. Conduct a DPIA
Where processing “is likely to result in a high risk to the rights and freedoms of natural persons”, organisations must carry out a DPIA (data protection impact assessment) under Article 35 of the GDPR.
To identify processing activities that may present that “high risk”, look to your data inventory and/or data flow maps. They’ll likely involve special categories of data (such as medical information), international transfers, new software, new processing activities, and so on. Our free green paper elaborates on which processing activities are likely to require a DPIA, and how to conduct one.
Remember that the risk must be “high” from the data subject’s perspective – not that of the organisation, as with typical risk assessments.
That said, by mitigating the risks to the data subject, you’ll likely also be reducing the risks to your organisation.
8. Implement appropriate technical and organisational measures
Another key GDPR principle is ‘integrity and confidentiality.’
This requires personal data to be processed in a way that ensures “appropriate security” by using “appropriate technical or organisational measures”. In addition, Article 32 of the GDPR requires appropriate technical and organisational measures to ensure “a level of security appropriate to the risk”.
Such measures can include:
- Encryption
- Pseudonymisation
- Strong access control
- Staff awareness training
- Up-to-date, effective policies and procedures
Take the next step in your GDPR compliance project
These eight steps should get your GDPR project off to a good start, laying the groundwork for both compliance and more efficient business processes.
However, compliance isn’t a one-off activity – it’s something to maintain.
CyberComply can help with this. In just one powerful tool, you can:
- Manage your GDPR compliance gaps;
- Map data flows;
- Automate ROPA creation; and
- Increase efficiency and minimise errors when conducting DPIAs.
Want to see what else the tool can do?
Don’t take our word for it
Here’s what our customers say:
Nikolaus:
CyberComply is an easy and reliable platform to use to fulfil the compliance objectives.
Data Mapping can be connected with the related Data Protection Impact Assessment on one platform.
With increasing demand of Data Security, we are happy to have this tool.
Felipe:
CyberComply was sourced for being a one-stop, all-in-one product we needed for our compliance and data security needs.
Its easy-to-use nature, backed up with a sterling set of consultants who maintain it and align to current security frameworks, has made our journey much easier to transition.
It’s also removed our need and reliance on spreadsheets, whilst presenting one single source of truth for all our risks and data protection needs.
The post Step-by-Step Guide to Achieving GDPR Compliance appeared first on IT Governance UK Blog.
