by Naome Harrison
As 25th May 2018 looms closer, Information Security personnel and anybody responsible for data protection should be ready to ensure that their organisation has completed their GDPR compliance checklist for the General Data Protection Regulation coming into force on that day.
Data Privacy Impact Assessments (DPIAs) should be well on their way to completion and Data Flow Maps drafted, if not already pinned to the walls of your ‘War Room’ as you manage the mass of information that tracking Personal Data (“Data”) has caused!
Keeping Data-tracking simple is the key. Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data set used in multiple places for different legitimate reasons for collection and processing.
As Intercity’s Information Security & Compliance Manager I am responsible for our GDPR compliance project. From my experience, a key tip is to look at the processes that employ the Data and track them rather than trying to track the full lifecycle of the Data all at once.
Don’t over-complicate the process. In most cases, we only need one ‘Source of Truth’ Data
Your GDPR compliance checklist:
Provided that you keep the Source of Truth, tracking the process enables you to tackle bite-size chunks with the relevant stakeholders and ask the following questions for each process as part of your GDPR compliance checklist:
- What is the reason for collecting/processing the Data?
- What do they do with the Data?
- Is the Data altered or added to (as if so, is this then another Source of Truth)?
- How much is the Data processed?
- Do they just have the Data because years ago it was done this way?
- Could the Data be extracted from the Source of Truth when needed rather than keeping a separate copy?
The answers to these questions could be “Yes, we use the Data” or “No we don’t need the Data any more as we now have access to the system” or even “I like keeping the Data, just in case.”
GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth. It’s intended to ensure that you:
- Know the Data location
- Have a legitimate reason for having the Data
- Understand what you do with the Data
- Take responsibility for the Data
- Do everything reasonably possible to keep that Data secure!
GDPR compliance isn’t intended to stop you from processing Data or stripping it down so there is only one Source of Truth
Remember - Data doesn’t belong to the company, it's just on loan from people who are entitled to expect that it will be used only for the purpose that it was collected and will be safe in someone else’s hands
Risk Management and Information Security are fundamental key process within GDPR!
So what causes Information Security Risk? People, Processes and technology.
People are one of the biggest risks as we can’t control everything that they do. You can’t put a firewall or some configuration in front of someone to say you can’t process Data in that way or if you get this Data, you must do a particular thing with it.
People are independent, so although you can influence them, you can’t control them. So how do we mitigate the risk? Employees should understand the risk associated with Data, particularly that which they hold or process. A training program including Data protection and information control should be given to everyone, supported by published, accessible policies and processes on: information classification, document control and acceptable use of equipment.
Employees should understand the risk associated with Data, particularly that which they hold or process.
Technology also plays a massive part of any key business process. From small SMEs to Enterprises, technology is everywhere. From obvious visible technology like laptops, mobile phones, Internet, email and applications, to technology used in the background like servers, cloud computing and firewalls - the list goes on and on. Ensuring the security of all technology that collects, or processes Data should be a key part of your GDPR compliance checklist.
People are independent, so although you can influence them, you can’t control them
ISO27001 Information Security accreditation is a key indicator of how seriously an organisation takes security. ISO27001 certification ensures the ongoing confidentiality, integrity and availability of information within the business. Have you asked your suppliers whether they have this certification?
Ask for a copy of the certificate along with a signed Code of Conduct - this will give you more confidence that any outsourced processing of Data is being handled appropriately.
To sum up, my tips as a GDPR practitioner going through the Information Security GDPR compliance process are:
- Make GDPR compliance realistic and a helpful way of securing Data rather than just a word that means more work! Don’t over-complicate the process!
- Keep it in bite-size chunks and look at Data within each process.
- Give key stakeholders the responsibility for the Data that they collect/process.
- Don’t over-complicate your Code of Conduct. It’s important to get it right but just ask the key questions - not every information security question available.
- Don’t panic ... prioritise high-risk areas first such as HR and Marketing.
- And remember with GDPR, Data means Personal Data only - not all data!