Tip 1: Plan for the GDPR future, not just enforcement day
The 25th May is enforcement day for the GDPR and while many are fixated on this date, it is now widely accepted that no business will be 100% compliant to every requirement. Rather, businesses should see the GDPR as the beginning of a new era of data protection. They must be armed and in a position to ensure compliance now and into the future and not simply paint over the cracks.
The guidance that comes with this regulation will also evolve over time, so businesses must be ready to keep up with further changes to data protection standards. The first six months post-enforcement date will be critical; organisations should be looking to learn, adapt and adopt best practice as they continue to hone their data protection obligations.
Tip 2: Remember due diligence and data governance
Grey areas in your organisation will prove to be a fast track to GDPR disaster. To gain transparency and put in place strong data governance, businesses will need an accurate picture of what and how personal data is being used to identify misuse and broken business processes.
Data governance and regulatory compliance is not just the responsibility of the Data Protection Officer (DPO) and the legal team, but for all business functions across the organisation. The 2018 Netskope Cloud Report found an average of 139 HR apps in use across organisations, and these are not necessarily all sanctioned. This underlines the importance that all departments and individual employees must act to enforce and support their data governance and regulatory compliance commitments.
Tip 3: Automation is essential
Maintaining an accurate record of processing (Article 30) is a critical requirement of the GDPR ruling that all personal data processing activity must be recorded, managed and updated to a granular level – a significant task in today’s cloud-first world. Human error in data processing will continue to be a problem, and the only way to effectively eliminate this is to automate maintaining this record where possible. Automation will help to create consistency in how data is safely collected, processed and ultimately retained until being destroyed.
“If personal data is stolen or being misused, it is critical the controller raises the alarm and reports the incident to the relevant supervisory authority within 72 hours. Depending on the data category, an organisation may need to report to multiple supervisory authorities and this is further complicated if the breach affects your business in multiple countries. There is plenty at stake, both reputational and financial, so getting breach notification and response management right is imperative. It is highly probable that human error and data misuse will emerge as top causes for data breaches, meaning that education must be ongoing, particularly in areas such as cloud security.”
“Rather than simply seeing the GDPR as a necessary evil, it should be realised that there is value to be gained from the approaching EU regulation. Businesses ready to embrace the regulation will have the opportunity to do more than just enhance data protection, but also to implement a more ethical approach to data handling.”
“In the future of GDPR we may see developments in the regulation that open up new opportunities. A star rating system could be implemented for example, whereby customers and shareholders could see how proactive and well-equipped a business is for protecting their data. An initiative like this would provide added impetus to organisations to not only get their data protection standards in check, but to pursue data protection innovation that can be truly seen to enable and grow a business.”