From our last blog post the basics of the GDPR requirements were discussed, we also considered the different types of data that would be covered under the new regulations. It is very important to ascertain whether the regulations apply to your business and to what extent, if they do apply then you need to get started and if they do not then document the reasons why and list applicable local data protection legislation. We are assuming at this stage that your organisation has Personal Identifiable Information (PII) relating to individual customer, such as: name, identity number, location, data revealing sexual orientation, racial or ethnic origin, religious beliefs, etc. As you can see that if you hold sensitive data regarding race or political persuasion why it needs to be safeguarded.
So what do we do next? It depends on the size of your organisation and how advanced other related areas such as information protection and compliance maybe. A small company may not have any more than standard security policies such as use of company equipment or use of USB. However, GDPR compliance needs to be treated as a project. A project with identified resource, objectives and budget. It cannot be left to one team or individual as the methods of control and protection are required across the company and affect everyone. The Group Project Team (GPT) will need to establish the governance. The GPT will define the data privacy strategy and the policies that need to be established. They need to define roles and responsibilities and start recruitment of DPOs (Data Protection Officers) as well as define processes for Privacy Impact Assessments (PIA), incident handling as well as monitoring and reporting. Finally, the GPT will plan the education and training of the respective areas.
Once the GPT has established the necessary controls and processes then the applicable business areas will need to step up. The most relevant business areas will have been decided by the GPT from early analysis of the policies and controls required, often Human Resources and Payroll teams will be impacted but sales, marketing and customer services may also have PII data of customers, partners, etc. Each business area is advised to run workshops and risk discussions to map data flows of PII data. GDPR requires control over PII data that flows around and through the organisation through ensuring that it is protected. A gap analysis of PII data in the organisation versus the GDPR requirements will then set the imperatives of the subsequent work items. To identify privacy data in a business area, the ICO recommends undertaking a Privacy Impact Assessment (PIA). These are called PDIA in the GDPR documentation.
The goal of a PIA is to identify where the privacy data is located, the data owner and processes or of the information and the workflow. From this can be established the risks to the data and the necessary controls required to protect it. One PIA at the start is usually needed to then maintain a privacy data inventory.
Challenges occur with workflows to ensure controls are in place for in-house applications, infrastructure in each business area. These workflows will interact with externals at application, infrastructure and other interfaces. You need to understand the whole flow whether it is your own privacy data or from an external source. To discover more please CLICK HERE to visit our website.
So, how prepared is your organisation for the implementation of GPDR? What needs to happen next? If you would like some help in answering this question please contact us.
Part 3 of our blog series will discuss how to get executive sponsorship from the beginning as well as some typical things to watch out for – watch this space.