By Dr Guy Bunker
With just one year to go, businesses in the UK are looking for a practical approach to preparing for General Data Protection Regulation (GDPR) and its more challenging aspects, in particular the ‘right to be forgotten’ (RTBF). From May 25 next year, if a company is presented with an RTBF request, they will have 30 days in which to find that individual’s information and delete all records of it that are no longer being used for their original purpose, unless they are required to be held for other regulatory reasons.
Where to start?
GDPR related information will often flow through a complex data supply chain and the majority of small to medium sized businesses have no mechanisms to record where it is sent or saved, let alone which data should be kept or deleted.
Much of it will be in obvious places like CRM databases or employee HR systems, however a lot will be more difficult to locate, especially when taking into consideration the operations many businesses outsource. This might include the bank details sent to a pensions provider or even the order form shared with a logistics provider via cloud applications. Even when the information goes outside of an organisation, this data is still a business’ responsibility, so they need to know who they’ve shared it with so they can make a corresponding RTBF request.
The first step any business should take is understanding how the GDPR’s requirements relate to any existing regulation the organisation might be subject to. Once current regulations have been reviewed, firms will be in a better position to conduct an information discovery audit to understand exactly what personal data they hold and where it can be found.
Furthermore, a business will need to map the data flows in and out of the organisation to build a picture of where the GDPR data is going and who it is going to. Ultimately, compliance requires three different areas to be considered:
People are an organisation’s biggest strength and biggest weakness. They make mistakes, store information in the wrong place, and use shortcuts which frequently puts data out of control of the IT department. Companies need to understand how their employees share information, and look at education or awareness programmes, or cultural changes, to plug gaps.
Processes and associated policies are not just about preparing for a RTBF request, but also defining the action a business will take when it gets one. Becoming compliant is really about good data governance and reducing risk, such as limiting who can access and share certain information, preventing information from leaving a network and creating contracts with suppliers dictating how they may use personal data.
Technology can help GDPR compliance by automating manual data protection processes, enforcing security policies and providing visibility of data flowing in and out of an organisation. Adaptive security systems can be set up to automatically and consistently redact GDPR information out of any communications, based on policy, especially when it is leaving the organisation. This helps avoid human error such as an email to the wrong person, whilst also saving a company redesigning many processes such as applications that automatically generate customer reports.
Better data governance, better business
Compliance will have a positive knock on effect on a business’ success, most notably the improved trust with existing and prospective customers and clients, as well as any partners – a significant factor in the ability for a business to grow. By implementing the right processes and policies, and strengthening this with certain technologies, businesses will be well on the way to being GDPR compliant and ready for that first RTBF request.
Dr Guy Bunker is SVP of Products, Clearswift