GDPR Compliance: Two months to go, so get ready
Ben Rapp from Managed Networks, in association with Securys, continues his series of articles on how to comply with new data protection laws starting in May
There’s a saying in warfare that no battle plan survives contact with the enemy. Sometimes, what sound like brilliant ideas in the writers’ meeting die painfully on stage. You may remember Harrison Ford allegedly telling George Lucas on the set of Star Wars: “You can write this shit, George, but you sure can’t say it.”
Now is a good time to review whether the changes you’ve made in implementing GDPR compliance are actually working. Have your new working practices been adopted?
Are your policies being followed? Do they work?
Start by asking your own staff: have they had any training? Did they understand it? What are they doing differently? What have they been told to do that they are confident is completely unworkable? They’ll know, but they may not tell you unless you encourage them to speak freely.
Do some testing. Pretend you’ve had a data subject access request. How long does it take to find all the information? How easy is it to collate? Is it comprehensive? Does it contain personal information about other people, and, if so, how long does it take to redact that? Would you be happy to send everything, including the relevant policies, records of processing and justifications, to the data subject?
Have a look at breaches that have happened to other organisations, and pick one (or more) that you think could affect you. Would your containment, recovery and crisis communications plans work? How bad would the impact be on the data subjects affected? Is there anything more you could do to prevent it, or to reduce the impact on data subjects?
The world hasn’t been standing still while you worked on the project. There are new threats and vulnerabilities, there are new interpretations of the existing law, and new guidance on future enforcement. Catch up with these changes and determine whether any of your policies or processing need a rethink. Data protection is and always will be a moving target.
If your plan included testing different approaches to compliance – for example different opt-in strategies – now is the time to collate the results and see which one worked best. You need to give yourself time to get the final version fully implemented, so you can’t leave it until the night of May 24. Similarly, if you have been looking at return on investment for data-driven marketing, to decide if some of your processing is worth it, you should have your answers by now.
External review can also be helpful, both as a sanity check and as a way to bring things back on track if they’re lagging behind schedule. Sometimes it takes an outsider’s input to get people focused on what’s necessary. You may also have chosen to get a certification, such as Cyber Essentials. This doesn’t address all of the issues in GDPR, but it’s a major step along the road. If it was part of your plan you should have your first audit report by now. If you didn’t pass, you still have time to address whatever defects were found and get retested before the deadline.
Make sure you report to your board, or trustees, on progress. That governance reporting is a key part of ongoing maintenance of appropriate data protection, and you should get it embedded into your organisational practice now. A detailed report, and minutes of a board discussion, are also useful evidence of the work you’re putting in to becoming compliant, should anyone ask you.
As always, if you need help with any aspect of data protection, information security or IT in general, you can reach us at firstname.lastname@example.org or by calling 020 7496 8000