Expert comment: Tips to ensure you’re GDPR-ready

Organisations of all sizes now have less than two years before the General Data Protection Regulation (GDPR) deadline. The deadline for organisations to meet new regulations around the treatment of personally identifiable information (PII), combined with expected volumes in data growth, could have huge implications for any business that  processes personal data. Here to comment on this news is Gavin Siggers, Director of Professional Services at Iron Mountain.

Gavin Siggers, Director of Professional Services, Iron Mountain

2018 heralds the deadline for organisations to meet new regulations around the treatment of personally identifiable information (PII) which, when combined with expected volumes in data growth, could have huge implications for any business that  processes personal data. To help businesses understand the impact of GDPR on their information management processes and where it fits within the wider regulatory landscape, six key steps need to be addressed to ensure they are GDPR-ready.

The first question should be what is personal data and do I have it? This then leads on to asking how GDPR applies to me? Vital to this is understanding key terminology including personal data and territorial scope, data subject access requests, data protection impact assessment (DPIA), the right to erasure and data portability, and consent. Step three is asking where does data live within my organisation? This could be data on corporate systems, employees’ personal devices, offsite archives and filing cabinets as well as information stored by suppliers, subcontractors and business partners. Businesses should develop a data map to record where information is, for a helpful organisation-wide view to ensure its risk can be assessed and monitored on an ongoing basis. In parallel, conduct a review and update of existing policies to know what can be done with information and how long it must be kept. This helps to ensure personal data and all other records are only kept and destroyed when required for  legal, regulatory or contractual obligations in a defensible way. Finally, it is crucial to maintain awareness and responsiveness. In order to cope with changing regulations, retention policies need to remain dynamic and evolve with the landscape.

Whilst the new EU General Data Protection Regulation (GDPR) is focused on protecting European residents’ constitutional right to privacy and does not set out any specific retention requirements, failure to comply with it can have far-reaching financial and reputational implications, making it important to get records retention right. It is imperative that businesses take these steps now to ensure they can easily identify where PII resides within their organisation and understand their obligations towards managing it.