GDPR is less than 4 months away and for many organisations in Ireland and across Europe if you asked are they ready for GDPR? The answer for many would be NO! Certification Europe is currently working with organisations across Ireland with the objective of helping them prepare for GDPR before the May 25th deadline. Check out our 7 tips that you need to address on your GDPR journey.
For many companies in Ireland, GDPR seems like a never-ending Rubik cube of complex regulations, all of which are vital for your company going forward. Organisations must quickly understand what procedures will be required to implement in order to demonstrate compliance to GDPR. The first hurdle for your CISO will be getting senior management buy-in. Management must be aware of what will happen if they fail to comply with GDPR. Ignorance will not be tolerated, so management buy-in must be 100%.
2. GDPR Audit
The first step when implementing any new procedures or management systems is to conduct a review of existing practices. This review or as we would call it a Gap Analysis would involve assessing the data procedures already in place against that of the guidelines based on GDPR and highlight what potential weaknesses appear.
This is a vital part of the process as it can be unclear what the threats to non-compliance can be. Every company is different so there is no point trying to compare even – like for like with an organisation that provides the same service as you, as procedures and personnel will differ greatly. Something as simple as an Excel spreadsheet on a desktop computer or a box under the desk with printed documents containing data on customers’ will be seen as a non-conformity against GDPR. This should all be ferreted out and clearly documented with When, How, and Why it was obtained; What you are going to do with it and How long you are going to keep it.
3. Data Transparency
One of the main objectives and for many, the most important objective of GDPR is to provide transparency of information for the individual. Organisations must clearly demonstrate and communicate to the individual what date you are collecting, why you want the data and how it will be used. Finally, you must show how you will protect the data from misuse or theft. This should be seen as a huge plus for organisations. This gives you, the company, a great opportunity to develop a trusting relationship with your audience that will allow a better opportunity to market your product or service going forward. This should not be underestimated.
4. Individuals’ Rights
GDPR is a big win for citizens. From May 25th GDPR will empower individuals with control over how their data is used. Key changes include.
The right to be informed
The right of access
The right to rectification
The right to be forgotten
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
All 8 are vital and must be adhered to but the most significant rights you must be aware of, from day one, is the rights of access and the right to be forgotten.
- Right of Access – Organisations must provide the individual with a record of all data they have and how it was acquired. This must be a free service. Failure to respond to the request with one month will result in possible penalties.
- Right to be forgotten – This goes beyond the usual unsubscribe from my email newsletter. Individuals will have the right at any time to contact your organisations and ask for all data to be removed.
5. Get Consent under GDPR
The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and no jargon and consent must be given affirmatively. You must also inform the individual of who you are, how you are using their information and that withdrawal of their consent is possible at any time.
You can quickly review this aspect of your data management systems by using this checklist.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt-in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give the individual options to consent separately to different purposes and types of processing.
- We name our organisation and any third-party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
If you are unable to tick all these boxes then you are at risk not being compliant with GDPR after May 25th.
6. Train your staff
The 2017 Insider Threat Intelligence Report revealed 68% of data breaches were caused by employee or contractor negligence. Training on what GDPR is and how it will affect all areas of the organisations should be communicated to all members of the organisations.
It is important to also train your staff on how any new procedures or management systems that will be put in place are to help demonstrate GDPR compliance. For example, if you implement ISO 27001 there are Implementation and Lead Auditor training courses that can prepare your staff for potential data breaches, along with workshops that can be held in conjunction with conducting a GDPR Gap Analysis.
A common misconception with GDPR is that you can be 100% compliant with GDPR. It is not possible to be 100% compliant. Following recent data threats such as WannaCry and Bad Rabbit to name just two from 2017 continue to evolve, it will always be a challenge to be 100% secure from a data breach, so demonstrating compliance is essential.
The key term is demonstrating GDPR compliance. Organisations must show how they are protecting and controlling user’s data safely while maintaining transparency and upholding the users’ rights. The best way to achieve this is by implementing Information Security Management Systems and also becoming certified to those standards by an accredited body. The most common management system that was implemented in 2017 and into 2018 are ISO 27001 Information Management System and BS 10012 Personal Information Management System which was updated in April 2017 to conform with GDPR.
Certification is the no.1 method to demonstrate compliance to GDPR and can be the difference in being penalized if there has been a data breach. To ensure your ISMS are maintained in the long term, regular training of staff is essential. Staff turnover, team members moving to other divisions are common so ensuring their replacements are up to speed on your ISMS will be crucial.