Ben Rapp from Managed Networks, in association with Securys, continues his series of articles on how to comply with new data protection laws starting on May 25
What – you thought May 25 was a finishing line? It’s all very well being ready for GDPR by the implementation date, and I’m sure you are, if you’ve been reading these articles and following our advice, but it’s vital to think of next month’s deadline as the start of an ongoing process. You can’t just pop the champagne corks, pat each others’ backs and then go back to your day jobs.
Data protection is an evolving landscape – just look at the current scandal surrounding Facebook and Cambridge Analytica – and you need to stay abreast of all the changes. The GDPR is a new law, and we won’t really know what it means until it’s been tested in court. Who’s going to be keeping an eye on those test cases and making sure you update your policies and behaviours to suit?
The cyber-threats keep evolving too. Maybe you’ve put the effort in to get your network and systems into shape; perhaps you’re confident you meet your obligations under Article 32 to have effective information security that assures the confidentiality, integrity, availability and resilience of the data you store and process. But will that still be true in six months’ time? Who’s going to keep your systems up-to-date and check for new vulnerabilities?
And what about your organisation’s own evolution? Every bold marketing initiative, every new process, every collaboration and outreach programme will carry fresh data challenges. Have you baked data protection into your thinking at every stage, or is it still something you try to put in place after the fact? Who’s going to be responsible for holding every part of your organisation to account?
Consumers are far more alert to data issues than they were a year ago, thanks to all these high-profile breaches. We’re bound to see a wave of data subject access, correction and erasure requests in the first few months after the introduction of the GDPR. Who’s going to deal with all of that, and make sure your responses are comprehensive and compliant, not embarrassing?
The UK implementation of GDPR also brings some new criminal and civil liabilities. I’m sure you’ve told your board or trustees all about this, and they’re completely aware of their exposure. But how are you (and they) going to demonstrate that there’s effective governance of data protection within your organisation? Ignorance is no defence under the law, so you need some way to keep them up to date on all your data processing, and all the work you’re doing to protect it. Who’s writing those reports, and making sure the board understands them?
If you think that all sounds like a lot of work, you’re right. That’s why we’re here to help you by taking some of the load off your shoulders. Whether you want a network that’s guaranteed to be secure, help managing your IT systems or someone else to maintain your policies and data processing records, come and talk to us and see how we can make it easier.
If you are having trouble using this form, please click here.