The best companies use innovative technology to manage regulation, explains Rob Savage, our head of professional services at Avatu.
Did you almost jump ignore this story because it mentioned GDPR? Yes, well I don’t think you’re alone.
GDPR has been so prevalent in business circles – for the last year or so – that while some people have faced the challenge head-on, others have become somewhat GDPR-blind, and are only just getting to grips with it now.
Either way, when it comes to the leaders who are dealing with the GDPR requirements, the best are seeing it as a business opportunity rather than a compliance exercise and are using innovation to short-circuit the challenge, as suggested by the GDPR wording itself.
Ground-breaking technologies, mainly in the communications field, have changed the way we do business, including how we store and use personal information. And they have also been the catalyst for the introduction of the GDPR.
Practices and policies have to change but the legislation also advises that technology is used, where possible, to provide the solutions.
There are many options for organisations. But to be compliant before May next year, they need to get advice and act now or run the risk of being left behind.
Information Commissioner Elizabeth Denham has told businesses there’s no time to delay in preparing for “the biggest change to data protection law for a generation”.
Data protection by design
One of the most significant parts of the GDPR is “data protection by default and design” and this is one area where technology can take away the burden of some of the GDPR requirements.
- Technologies are available which allow users to control a document at source. The document owner can easily set permissions on who can see what, and for how long they can have access. It can also restrict editing, printing, copying and screen captures. Outsourcing is such an integral part of business models today that most enterprises simply choose to live with its third-party security risks – or just turn a blind eye. But to achieve GDPR compliance this needs to be taken more seriously. This technology will help reduce the risk from this channel too.
- Technology which controls access to information and constantly reinforces staff training and company policies is available and will reduce the risk of a data breach. Technologies that are inbuilt into your systems mean that your team members only have access to the data they need for their job – no more, no less.
- One of the most vulnerable routes to your valuable data is malware hidden in email attachments. Technologies which reduce the risk of this being successful should be deployed. Ground-breaking technologies which mean that successful cyber attacks are caught quickly (in minutes instead of months) will limit the damage that data thieves can do.
Understanding your data
GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act. In various articles (including 15, 16, 17 and 18), the GDPR provides rights for individuals. These include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object.
It’s very difficult, however, to satisfy these commitments if you don’t know and understand your data.
Technologies can help you fully understand what you’ve got, where it’s held and how you can deal with any individual requests under the GDPR.
Organisations will require technology to help them manage their data to:
- Connect individuals with their personal data
- Correctly categorise it and understand how it’s held and used, search and retrieve it.
- Put things right, introduce the correct future activities and make sure you’ve found everything.
- Make it available to the individual (if necessary). This same technology will also help you with data protection impact assessments.
Responding to a breach
Well-run organisations will introduce the technologies I’ve mentioned in other sections. But as all business professionals know, there is no such thing as total protection. The risk will only ever be managed and reduced, it will never be eradicated.
With this in mind, the GDPR also expects organisations to prepare to deal with a data breach and introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases to the individuals affected, within 72 hours of the breach being discovered.
According to the GDPR, a breach is more than just losing personal data.
It says: “A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
It requires an organisation to do prevention activities with its obligations to “regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of testing.”
And if a breach is discovered the notification to the ICO must be made within 72 hours of discovery and must cover:
- The nature of the personal data breach including, where possible: the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned.
- The name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained.
- A description of the likely consequences of the personal data breach.
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Because of the tight timescales, it’s essential to have robust, tried and tested breach detection, investigation and internal reporting procedures in place, in which technology will have an important role.
If a breach happens:
This report first appeared in the New Statesman. Click here to see more.