7 things to consider to help prepare for the GDPR
The bottom line, as regards GDPR compliance is; can your organisation in a court of law defend the actions and processes that you took to implement GDPR; thereby limiting a company’s liability of a fine.
GDPR is about proactively implementing the right personnel, procedures and processes to ensure that data is protected and dealt with appropriately; rather than it being dealt with as a last-minute consideration. It is about conducting data protection impact assessments (see Article 35) and introducing complimentary technology (Content Management systems, encryption, secure transit and storage of data etc.) to be able to comply and even exceed GDPR guidelines. Companies should use GDPR as a cornerstone for a risk mitigation process. There is no longer a limitation of liability, as now both the controller and subcontracted processors are equally liable for a data breach (see Articles 24, 26, 27, 28 and 29).
Unfortunately, some organisations, suffer from a proliferation of unstructured and unauthorised applications used to store and manage files. This leads to increased security risks and decreased levels of productivity and information sharing within an organisation. Company outcomes are therefore to ensure more flexibility and control of data and content. The following recommendations/actions will assist companies to understand and interpret the new rules and have a single strategic, clean, top-down, command-and-control view of classified Personal Identified Information (PII).
There are however some very basic and core recommendations that KYOCERA suggests to “avoiding the fine” and ensure that your organisation is compliant, therefore consider the following steps:
a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
If your organisation does not fall under the above criteria, it means that you do not have to appoint an external person. In fact, the role can be fulfilled by an employee, and can be either a part-time role or combined with other duties. But, in performing the role, the DPO must have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference. What is important, is that the appointed person must be a data protection professional with ‘expert’ knowledge of data protection law and practices to perform their duties to ensure your organisation achieves and maintains compliance.
The person appointed should ideally implement a strategy and project, with the key objective of meeting/exceeding the GDPR compliance. The project must implement organisational, procedural and technical measures to demonstrate compliance.
The vagueness of GDPR regarding the exact guidance, in terms of technology/technologies to be used, makes interpretation of the regulation difficult. That said, it makes logical sense to say that the implementation of a technical solution(s) will make compliance with GDPR, easier and more efficient when compared to manual processing. It is also probably the most cost effective option to progress, taking into consideration the following GDPR requirements:
a) data accuracy (see article 5 – up to date data),
b) immediate access (see article 15 - a company's ability to satisfy a Subject Access Request), and
c) data retention and erasure (also referred to as the right-to- be-forgotten (RTBF) (see articles 16 and 17).
Processing of personal data should be limited to what is necessary and linked to its purpose (data minimisation and storage limitation principles). There is a new obligation to keep internal records of all processing operations.
a) Devise a content services strategy that makes good usage of technology that is fit for business purpose, targeting business functions where consolidation or integration is not viable or difficult.
b) Evaluate whether there is any value in integrating it into an existing content services platform and your printer estate, as these may be used for scanning of documents into such a system.
c) Look for personal data and other content-related initiatives going on in other parts of the organisation and find converging use cases and requirements.
d) Deploy content technologies and services that make it easier to capture, manage, find and deliver content to users within the context of their roles and tasks, with an emphasis on personal data and its management.
e) Integrate services where technology solutions remain viable and where there is a compelling business case to do so. Consolidate content-related repositories of personal data and applications where there is a sound business case to do so.
f) Consider the implementation of security (encryption) and other (GDPR friendly) technologies.
g) Understand the propagation of metadata, to enable complete data erasure (RTBF) should it be required. Ensure that the system accommodates such functionality.
Data stores, network architectures and peripherals such as PCs, USB sticks and printers should be encrypted to safeguard data.
The DPO is critical to this role, as both a sponsor and/or active participant. The DPO should gain board sponsorship as & when required to maintain momentum.
WHAT IS GDPR?
On the 25th May 2018, the European General Data Protection Regulation (GDPR) will supersede national laws such as the UK Data Protection Act, unifying data protection and easing the flow of personal data across all 28 EU member states.
GDPR 10 KEY FACTS
Discover what the key GDPR features and changes to the European Data Protection Directive are and how they may affect you.
ARE YOUR MFDs SECURE?
Printers and Multi-Function Devices (MFDs) are intelligent networked assets, that like a PC contain a screen, a keyboard, a hard drive (which can potentially store sensitive information), and an Operating System (OS). This makes them a key area to manage as part of your overall preparation for GDPR compliance.