The General Data Protection Regulation (GDPR) is a European regulation that establishes rules for the collection, movement and use of personal data. Compliance is mandatory, penalties are stiff, and ignorance is no excuse. However, enforcement is not as draconian as it may sound. If you’re a small or medium business making reasonable efforts to improve processes and follow the rules, you should be ok.
So, what do “reasonable efforts” entail?
Data Breaches – Be Prepared
Test your response regularly, at least once a year via a desktop exercise with your senior leadership. Make sure that you have a centralized point of escalation for all staff (and customers via your privacy notice) to report incidents. Assemble a core team of SMEs from Tech, Security, Legal, and other relevant functions to triage incidents and facilitate effective escalation.
Training
The Information Commissioner’s Office (ICO) has clearly said that when considering contraventions of the rules and potential monetary penalties, it will take into account the level of training staff receive. If the ICO comes knocking, you are highly likely to be asked to provide copies of the training procedures you have in place.
Policies and Processes
It is important that the data protection principles are transformed into practical rules and processes and template solutions for standard situations. Where appropriate, automate data protection and privacy compliance.
Data Retention
It is just as important to develop a policy around data destruction and disposal as it is to put in place a detailed data retention policy. While the GDPR requires that personal data is kept no longer than necessary, it is important to recognize that other laws and regulations require some personal data to be kept for prescribed periods.
Privacy by Design
Privacy by Design (PbD) is often thought of as a concept for the IT team. You have to make sure IT systems have appropriate security and privacy controls in place – which for some means a change of approach for new system design and an upgrade for existing systems. PbD is a great concept to engage your senior management team – privacy must be ‘baked in’ across the whole organization. This involves reviewing all your processing to make sure risks are mitigated and appropriate compliance controls are in place.
Accountability
This means ensuring that your supply chain for data is accountable and this particularly applies to data from partners and suppliers. There are a number of vendors collecting cookie data for third-party targeting that appear to have a rudimentary understanding of the standards of consent or the specific rejection of pre-checked boxes.
Fundamental Cyber is dedicated to protecting companies and employees from cyber criminals and to enabling compliance with privacy and security regulations including GDPR and HIPAA. Our user-friendly, affordable software tools enable people to work safely at home or in the office. Learn the fundamentals at https://fundamentalcyber.com.