How to stay GDPR compliant?
Since our inception, a lot of our work has been about capturing, processing, analyzing, storing and protecting all kinds of data. As data protection is closely linked to data integrity, a line of business we have been experts in for years, it was a logical step to get involved in preparing organizations for GDPR. After the initial panic that was caused by its arrival, most organizations have taken data protection measures of some kind. It is now vital to stay compliant.
Tools, templates and schemes
In line with our initial advice not to start spending large sums on expensive solutions and consultants, SMEs in particular have been able to whip up some kind of methodology on their own, whether or not this was done with one of the numerous compliance tools, templates and schemes available on the internet, including open GDPR. As no two organizations are completely alike however, such standards needed substantial tweaking here and there to match each individual organization.
In this context, a fresh pair of eyes in the form of trainings can enable organizations to become and stay GDPR compliant. When combined with auditing services, you can even kill two birds with one stone. But even then, people – as is often the case – constitute the weakest link. Without sufficient and ongoing awareness among your employees, becoming and staying completely GDPR proof will remain an illusion. To keep everyone focused at all times, we have put together what we initially called ‘The Ten Commandments of Fair Information’. Based on increased insight, these have been supplemented by a number of other meaningful rules to abide by. Here they are in random order:
- There should be limits to the collection of personal data (i.e. data should be relevant to the purposes for which they are to be used) and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [purpose specification principle] except: a) with the consent of the data subject; b) by the authority of law.
- Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- Know Your Responsibility. As controller, companies have total responsibility for regulated data. They may rely on cloud providers that have contractually mandated penalties if a data breach occurs, but the controller will pay all sanctions and receive public blame for the breach. Implementing a data processing agreement is advisable.
- Think Like a Hacker. Knowing what data is most likely to be attacked and what vulnerabilities hackers are likely to exploit enables organizations to establish systematic protections and threat mitigation strategies.
- Adopt Pseudonymization. This combination of “pseudonym” and “anonymization” refers to a process of depersonalizing sensitive data. If data cannot be linked back to any specific individual, it is not subject to GDPR rules. It’s relatively easy to make data adequately anonymous using encryption and tokenization.
- Implement Best Practices. The GDPR requires that controllers follow evolving standards for protection, and it identifies encryption as a central tenet. Regulators believe encryption should become the default standard and should be enacted ASAP. This process must be carried out locally in order to abide by the GDPR, though, because if the controller does not hold the encryption key, then storage privacy is rendered irrelevant.
- Carry out Audits. Demonstrating GDPR compliance requires a sound auditing process that addresses elements such as screening of staff, application of encryption, password policy and security software. Controllers are required to evaluate how the processor is handling data and what protections are being put in place before submitting a comprehensive audit.
In case you need some help walking the straight and narrow, our certified Data Protection Officers are available to keep you focused. Please bear in mind that it is easier to be forgiven for breaking the biblical commandments than it is to be forgiven by the data protection authorities…
A fresh pair of eyes in terms of trainings and auditing services will help organizations stay focused