We are now less than 48 hours away from the Europe’s General Data Protection Regulation (GDPR) becoming enforceable on 25 May. And unless you’ve been living under a rock for the last two years, you don’t need me to tell you that this new regulation promises to put power back into the hands of consumers, giving them more control over how their data is used.
Yet with so little time left to become GDPR compliant, what are some of the final checks an organisation may want to consider? Here are some of the most prominent ones that I’ve been discussing with customers as we edge closer to that GDPR “start-line”.
Think about your data culture
As part of being GDPR compliant business leaders need to be asking themselves if a) they truly understand the personal data that sits within their organisation, and b) whether all employees really understand how to correctly handle it? If the answer to either of those questions is no, then immediate steps need to be taken. Not only is it critical to ensure any organisation is handling the personal data it holds in accordance with the new law, but it is paramount that all staff, from board level, through to juniors, understand the implications it has on them. This is where a strong culture of data education and data literacy needs to be driven along with a mentality that GDPR compliance is just the start of the journey rather than finish point for all businesses.
Get to know the role of your Chief Data Officer
GDPR is naturally pushing the role of Chief Data Officer (CDO) to centre stage but it’s important not to fall into trap that, with a CDO, everything is under control. And that’s because the job role of the CDO varies enormously. Some are focused on compliance, taking on the more specific role of Chief Data Protection Officer, while others may look more at the bigger picture, finding new business models and improving operational efficiencies. Having clearly defined job specs and responsibilities between the CDO, the CDPO and the wider IT team is critical.
Understand the importance of data governance
With roughly 25% of data breaches coming from inside an organisation, it is more important than ever before that businesses ensure only authorised personnel have access to the mission critical data needed for their role. This isn’t something that is achieved over night, it requires education, a strong and flexible data governance policy and an equally agile data analytics platform that can report and track everything and maybe even help to enforce it.
Ensure consent is effectively managed
It will be vital to track who has opted in and who has opted out of receiving marketing information. Clear visibility is needed across all marketing systems as any misalignment could be deemed as non-compliance. Sending out an unsolicited email to someone who has opted out, or worse not even opted in in the first place, could be a trigger for a complaint to a DPA / Supervisory Authority to investigate. Keeping a strong audit trail will help keep organisations on track and avoid any complaints.
Audit data retention policies
Do not keep any personal data any longer than is necessary. Business leaders must ensure their organisation’s data retention polices are up-to-date and well understood. Now is the time to get organised and continually enforce good auditing practices of files and records across all systems.
Responding to data privacy requests
GDPR essentially brings in enhanced rights to individuals – giving them a greater say in how their data in used and where it is stored. With 40% of consumers expected to make requests on exactly this, business leaders must have an action plan in place to ensure they are ready to respond and share all details within the timeframe outlined. Locating such potentially vast amounts of data could take a lot of time and resource which is why self-service portals that empower individuals to gain access to their own personal data will become key.
[su_box title=”About Adam Mayer” style=”noise” box_color=”#336588″][short_info id=’104744′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.