Ben Brothwell
Practice Lead – Security
3 April 2017
The clock is ticking on GDPR, but you have to Find IT before you can fix it
Article 50 has been triggered, but even post-Brexit there will be no avoiding the EU’s GDPR – General Data Protecion Regulation for any companies that employ, sell to, or work with EU citizens. GDPR, which comes into force from May 2018, puts restrictions on how you can store and use the personal data of EU citizens, with stiff financial penalties for non-compliance.
One potential stumbling-block for organisations is the way in which GDPR defines personal data: essentially, anything that could be used to identify an individual person is considered fair game. That may include IP addresses captured from visitors to your website, or even pseudonymised data used for reporting purposes. The new law also covers manual paper filing systems – another area in which it goes further than the existing UK Data Protection Act (DPA).
At the time of writing, May 2018 still feels a good way off – but the sheer scope of GDPR and its differences from existing legislation mean that you should already have started planning. If you haven’t… well, there’s no time like the present, and this journey of a thousand miles begins with a single step: identifying the relevant data.
As already discussed, GDPR requires you to protect any information that could conceivably identify a person. You need to understand what this means for your organisation: what personal data you hold on EU citizens, where this data is stored and who has access to it, throughout its lifecycle from creation to deletion. And in a highly networked world, you may also need to consider any data shared with business partners.
Here at Northdoor, we call the first stage “Find IT”. And it starts with talking to the people in the business who own the data and working out what you have. Once you’ve found all the data that might fall under the new legislation, you can move to the second and third stages – “Classify IT” and “Comply to IT” – and I’ll be writing blogs on those, too.
But even before you start precisely classifying your data, we’d recommend you encrypt everything. This is not only good general security practice, it’s also a fast and easy way to minimise the potential damage (and fines) if you suffer an accidental loss of data. And before you protest about how careful your company is, remember that the average UK organisation suffers 3.9 breaches per year, only 45% of which are actually recognised!
To find out how Northdoor can help you achieve GDPR compliance faster and more effectively, please contact us for an informal assessment or read our quick-start paper.