By James Taylor, Strategic Development Manager, UK and Ireland, Nuvias Group.
Understanding the data assets an organisation collects, holds and processes is an essential step in the planning stages to GDPR readiness. Having said that, any GDPR preparation must be done with the absolute buy-in from the Board.
As per the National Cyber Security Centre’s guidance in their 10 steps to Cyber Security: “Set up your Risk Management Regime: Asses the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers.”
Whether you are required by GDPR to appoint a Data Protection Officer (DPO) or not, appoint one. The DPO can then review your organisation’s data needs, ensuring you are only collecting the appropriate data to process the business and no more; marketing lists, employee files, cookie tracking or purchased marketing lists should all be reviewed with the vigour as previously described. Make sure your organisation has express consent to process the data in accordance with the expectation of the person giving you their details. This is a fantastic opportunity to review all forms that you use to collect data and make sure they are in clear English detailing how your organisation will process the data and respect their privacy.
Once you have identified all the data types and sources your organisation holds, you need to understand where it is stored and who can access it. Printed copies should be securely stored, with regular reviews to ensure the copies are still required, if not securely destroy them. Electronic storage within a structured database should be relatively easy to recognise, maintain as well as protect. The larger problem is unstructured data and knowing where Personal Identifiable Information (PII) or personally sensitive information is stored. Having completed the “what data do I collect” exercise correctly, Data discovery tools can then search all mappable drives to find sensitive files (.docx, .xlsx, .pdf’s etc) that may contain the data that you are searching for, e-mail addresses, phone numbers, credit card details, National Insurance Numbers etc.
Once you know where your un-structured sensitive files are stored, move them to a central repository from which you can defend access; protectively mark these sensitive documents so that policy at the gateway or endpoint can quickly inspect the metadata to allow or block the file.
Set up processes and procedures to be able to respond in a timely fashion to Data Subject Access Requests (DSAR’s). Finding a Citizen within your paper records will require a physical search. Finding a Citizen within your CRM or other database should be accommodated from the application. The same tool that helped your organisation find sensitive files, ought to discover specific Subjects within un-structured data, allowing an organisation the ability to respond to DSAR’s within the 30 days prescribed.
Of course, having established good data hygiene; train, remind and test your employee’s awareness of the fundamental rights we all enjoy to a private life, but also to respect, manage and maintain the data the organisation processes in a professional manner.