It’s finally here, the EU General Data Protection Regulation (GDPR) is now in full effect. Is that a sigh of relief I hear? Well, it shouldn’t be too heavy a sigh, there’s still work to be done!
The first thing to remember is that just because it’s the 25th May, doesn’t mean GDPR efforts are over. While most organizations have executed pre-enforcement date compliance preparation work including updating policies and systems, reviewing databases and going through the process of obtaining consent from EU contacts to continue holding their data, now the enforcement date has arrived, there should be a bigger push than ever to ensure your organization is remains compliant into the future.
Remember the old Scout motto of ‘Be Prepared’? Any number of things could happen on, or after, ‘Day One’ that organizations need to be ready for. These might include a data breach, which could come from a malicious attack or an employee sending confidential information to the wrong person by mistake, or customers exercising their right to be forgotten (RTBF). Whatever happens, the main thing is to have a plan in place to deal with both formal requests as well as a non-compliance issue.
There are three main areas which need to be addressed in order to have a fully-capable plan in place:
While most employees are likely to be aware of GDPR, it is certainly worth sending a company-wide email today to remind everyone it’s D-Day. It's important to keep employees informed of new policies and processes, where data must be kept and who has authorized access to it, what to look for in a malicious email and who to go to should a breach happen. Ensuring that all employees, from board level down, know what processes need to be followed will be vital to continued compliance. In return, employees should be used to help make suggestions as to where improvements can be made and where additional risks may lie. Businesses requirements constantly change with new projects and initiatives starting up and being worked on. If they involve handling EU citizen data, GDPR must be a key consideration as these projects and inititiatives are executed on.
All organizations should already have processes in place and these should have been reviewed and updated as part of preparing an organization for GDPR compliance. However, as time passes and we get further into GDPR issues, it’s critical that processes are amended to reflect what has been learned – whether that is through continual checking for unwanted data, RTBF requests or a data breach. As new products and services are introduced, processes and policies should be reviewed to reflect changes within the business and in turn, this needs to be communicated to employees.
Technology should be implemented as a safety net for an organization. No matter how well-trained staff are or how many processes are put in place, there is always going to be the threat of a slip-up that could lead to non-compliance and ultimately hefty fines. GDPR is not going to be in the headlines forever and its principles are likely to slip to the back of peoples’ minds, so it’s important the right technology is place to help protect critical information. In addition, with the first wave of RTFB requests coming in post-May 25th, any gaps in existing security infrastructures that have not already been found during GDPR preparation, are likely to be discovered and need to be filled as soon as possible. Adaptive Data Loss Prevention technology (A-DLP) provides an organization with the control and visibility of data flowing both in and out of the company as well as automating best practice data protection processes and enforcing an information security policy. Therefore, A-DLP should be seen as an enhancement to the processes already in place, something which can run in the background as a precautionary measure.
Whatever happens post-GDPR enforcement, it’s important to keep in mind that the threat of a data breach or RTBF request does not disappear after the first day. Compliance is an ongoing task with policies and processes needing to be adjusted as business practice evolves or new services and products are introduced.
Contact the Clearswift team to learn more about how we can help you protect your organization with GDPR compliance.