Ben Brothwell – Security Practice Lead
21 April 2017
Classify IT to understand what GDPR means for your data
As you are no doubt already aware, the EU’s General Data Protection Regulation GDPR comes into force in May 2018, and will continue to apply even after the UK leaves the EU. In a nutshell, any organisations that hold or process any data that could be used to identify an EU citizen must protect that data against loss or exposure.
If you’ve read my first blog, you’ll know that Northdoor suggests you start by finding all the relevant data you hold and encrypting it – we call this stage “Find IT”. With that done, you can move on to classifying the data and building policies around it: “Classify IT”. At this stage, you’ll need to understand which elements within each data store – digital or paper-based – fall within GDPR, and to develop internal processes and governance to manage them on an ongoing basis. This is partly an organisational task and partly a technology task, so it will require good communications and cooperation between IT and the business.
As you look at the different types of processing you carry out on personal data, GDPR requires you to identify and document the legal basis for that processing. And unlike the existing DPA legislation, GDPR applies different rights depending on the legal basis. For example, individuals have a stronger right to request deletion of their data if consent is your sole legal basis for processing. Right away, this implies that most companies need to be more organised in how they classify data over time.
One key thing you’ll want to consider during the Classify IT stage is setting up measures to respond to citizens’ requests to access, amend, transfer or delete their data. There are penalty-enforced deadlines for dealing with these requests, so if you think your organisation will be getting large numbers of them, you should consider setting up a self-service portal.
Another important point to think about is the way in which you seek, obtain and record consent from individuals to hold their data. Under GDPR, consent must be a positive agreement – so you may need to review your processes and put in place an effective audit trail for demonstrating consent. And it’s worth treading carefully here: a couple of companies have already been stung with fines just for trying to put their houses in order!
To find out more about achieving GDPR compliance faster and more effectively, please contact us for an informal assessment or read our read our quick-start paper.