7 Steps to become GDPR Ready

7 things to consider to help prepare for the GDPR

The bottom line, as regards GDPR compliance is; can your organisation in a court of law defend the actions and processes that you took to implement GDPR; thereby limiting a company’s liability of a fine.

GDPR is about proactively implementing the right personnel, procedures and processes to ensure that data is protected and dealt with appropriately; rather than it being dealt with as a last-minute consideration. It is about conducting data protection impact assessments (see Article 35) and introducing complimentary technology (Content Management systems, encryption, secure transit and storage of data etc.) to be able to comply and even exceed GDPR guidelines. Companies should use GDPR as a cornerstone for a risk mitigation process. There is no longer a limitation of liability, as now both the controller and subcontracted processors are equally liable for a data breach (see Articles 24, 26, 27, 28 and 29).

Unfortunately, some organisations, suffer from a proliferation of unstructured and unauthorised applications used to store and manage files. This leads to increased security risks and decreased levels of productivity and information sharing within an organisation. Company outcomes are therefore to ensure more flexibility and control of data and content. The following recommendations/actions will assist companies to understand and interpret the new rules and have a single strategic, clean, top-down, command-and-control view of classified Personal Identified Information (PII).

There are however some very basic and core recommendations that KYOCERA suggests to “avoiding the fine” and ensure that your organisation is compliant, therefore consider the following steps:

Download our GDPR whitepaper
7 steps to prepare for GDPR
In order for your organisation to provide comprehensive, clear and transparent guidelines and policies, a responsible individual within/for your organisation should be appointed. GDPR (see Section 4: Article 39) references the appointment of a Data Protection Officer (DPO). This role is compulsory if (see Section 4: Article 37):

a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

If your organisation does not fall under the above criteria, it means that you do not have to appoint an external person. In fact, the role can be fulfilled by an employee, and can be either a part-time role or combined with other duties. But, in performing the role, the DPO must have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference. What is important, is that the appointed person must be a data protection professional with ‘expert’ knowledge of data protection law and practices to perform their duties to ensure your organisation achieves and maintains compliance.

The person appointed should ideally implement a strategy and project, with the key objective of meeting/exceeding the GDPR compliance. The project must implement organisational, procedural and technical measures to demonstrate compliance.
GDPR is to all intents and purposes a time-boxed regulation. It will become effective on the 25th May, 2018. It is therefore essential that you keep up to date and informed by the UK’s Information Commissioners Office (ICO). UK laws and guidelines may vary from time to time, so it is important that you are kept up to date on the regulation. There is a huge amount of information and guidance relating to GDPR and what next steps to take. https://ico.org.uk/
GDPR does not provide much exact guidance in terms of which technology (see recitals 66, 67, 68, 71, 78, 81, 156, 168) and/or security (see article 32) to use, instead citing only that the “appropriate” and “state of the art technical protection measures” be implemented. Data encryption is an important data protection technology called out in GDPR.

The vagueness of GDPR regarding the exact guidance, in terms of technology/technologies to be used, makes interpretation of the regulation difficult. That said, it makes logical sense to say that the implementation of a technical solution(s) will make compliance with GDPR, easier and more efficient when compared to manual processing. It is also probably the most cost effective option to progress, taking into consideration the following GDPR requirements:

a) data accuracy (see article 5 – up to date data),
b) immediate access (see article 15 - a company's ability to satisfy a Subject Access Request), and
c) data retention and erasure (also referred to as the right-to- be-forgotten (RTBF) (see articles 16 and 17).
In an organisation, there may be a huge amount of entry and exit points from which data, including personal data, can flow. These include by electronic means (e-documents) and more traditional paper formats (scanned paper). It is important to understand where this data is captured, processed, output and retained. Conducting a thorough audit of these and taking into special consideration the personal data contained, is the first step to a good records management system and meeting GDPR guidelines.

Processing of personal data should be limited to what is necessary and linked to its purpose (data minimisation and storage limitation principles). There is a new obligation to keep internal records of all processing operations.
The implementation of technology, via an Electronic Document or Content Management system, may be one of the key enablers when dealing with personal data within GDPR. When selecting such a system, there are some guidelines below that may assist you:

a) Devise a content services strategy that makes good usage of technology that is fit for business purpose, targeting business functions where consolidation or integration is not viable or difficult.
b) Evaluate whether there is any value in integrating it into an existing content services platform and your printer estate, as these may be used for scanning of documents into such a system.
c) Look for personal data and other content-related initiatives going on in other parts of the organisation and find converging use cases and requirements.
d) Deploy content technologies and services that make it easier to capture, manage, find and deliver content to users within the context of their roles and tasks, with an emphasis on personal data and its management.
e) Integrate services where technology solutions remain viable and where there is a compelling business case to do so. Consolidate content-related repositories of personal data and applications where there is a sound business case to do so.
f) Consider the implementation of security (encryption) and other (GDPR friendly) technologies.
g) Understand the propagation of metadata, to enable complete data erasure (RTBF) should it be required. Ensure that the system accommodates such functionality.
Encryption is one of the technologies specifically highlighted in GDPR, as a safeguard against loss of personal data, and therefore important against an organisational data breach. Encryption is important, because in the case of a breach, GDPR states that provided that the data unintelligible through encryption to any person who is not authorised to access the data, is not mandated to notify the affected record owners.

Data stores, network architectures and peripherals such as PCs, USB sticks and printers should be encrypted to safeguard data.
Organisations need to understand that having completed the initial project to comply with GDPR, that it does not end there. Effort needs to be expended as part of a continuous improvement plan to continually track, retain or delete personal information that may be subject to retention guidelines.

The DPO is critical to this role, as both a sponsor and/or active participant. The DPO should gain board sponsorship as & when required to maintain momentum.
Download our GDPR whitepaper
GDPR - General Data Protection Regulation

WHAT IS GDPR?

On the 25th May 2018, the European General Data Protection Regulation (GDPR) will supersede national laws such as the UK Data Protection Act, unifying data protection and easing the flow of personal data across all 28 EU member states.

FIND OUT MORE ABOUT GDPR

10 Key facts of GDPR

GDPR 10 KEY FACTS

Discover what the key GDPR features and changes to the European Data Protection Directive are and how they may affect you.

READ THE 10 KEY FACTS AROUND GDPR

MFP Security

ARE YOUR MFDs SECURE?

Printers and Multi-Function Devices (MFDs) are intelligent networked assets, that like a PC contain a screen, a keyboard, a hard drive (which can potentially store sensitive information), and an Operating System (OS). This makes them a key area to manage as part of your overall preparation for GDPR compliance.

FIND OUT MORE ABOUT MFD SECURITY

GDPR General Data Protection 7 steps

SUPPORT HOURS

Mon-Fri 8am - 6pm GMT

CALL US

0845 710 3104

EMAIL US

CONTACT US

Scroll to top