By Michelle Drolet
Founder & CEO
Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i
Read More3 Minute 35 Second Read
June 1, 2018
The buck stops here. You must have a DPO (or virtual DPO) who is responsible for the management of data. It may have proven difficult to secure a qualified, experienced DPO with so many companies in the market for one, but it’s vital they know what they’re doing. If you assigned an existing employee, then you need to train them properly and allow them time to stay abreast of the latest regulations and procedures. If you drafted a virtual CISO as a stop-gap solution, you’ll want to think about your longer term plan.
Having a good DPO should help with this, but you’ll still need to work to ensure that no one buries their head in the sand when a breach does occur. Even with robust security, data breaches are a fact of life, but with the GDPR you are legally required to report a breach within 72 hours. Don’t be like Equifax, get your procedure fully documented and educate all your staff about the rules.
Make sure that you have a system in place to obtain proper consent from people to store their personal data – simple opt-in clicks are not sufficient. You also must be prepared to erase or restrict the use of that data and to provide people with copies on request. If you receive a Subject Access Request (SAR) you have 30 days to deliver extensive information on how you are processing the data, port it to another provider, or erase it permanently depending on the request.
It’s not enough to store and process data securely, you should separate it, extracting what’s necessary for operational purposes from anything that could be used to personally identify who the data belongs to. If data can be attributed to a specific subject easily, then you need to act to remedy that by removing or obscuring direct identifiers. Pseudonymization is a clever way to preserve the usefulness of data and reduce the risk of exposure, providing a second line of defence if encryption or other defences fail.
It used to be the case that only “data controllers” were subject to the law on breaches, but with the GDPR coming in that same principle applies to “data processors”. That means anyone processing data, even if it’s on the instructions of another company, is jointly liable in the event of a breach. In the modern business world, with proliferation of cloud services and software, that could apply to several of your partners and vendors. Make sure everyone you do business with has the right protections and procedures in place.
Resist the temptation to relax as we move beyond that GDPR deadline. Just like your wider security measures, data management is something that must be continually assessed, tested, and tweaked for maximum efficiency and protection.
If you really want a clear picture of your potential exposure and solid advice on mitigation, then you should strongly consider regularly engaging a GDPR consulting firm to perform a risk assessment and gap analysis or even just a simple whiteboard session. You should also consider a business impact analysis to help you understand and hone your risk posture. Only by operationalizing your data management and security, can you ensure continued compliance.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |