With only a matter of weeks to go before the European Union’s new General Data Protection Regulation (GDPR) regulations come into force, many Australian organisations are still scrambling to achieve readiness.
After the deadline of May 25, any organisation holding the personal data of EU citizens will need to enforce privacy principles that cover any transactions occurring within the region. Data could include anything from name and address details to purchase records, health details and credit scores.
Many organisations began their preparations two years ago when the requirements of the regulations were made public, while others have left the work to the very last minute. Regardless of their current status, all organisations operating in the region will be expected have attained compliance by the May deadline.
The strategy required to reach this point will differ significantly between companies. Those that already have robust information security and privacy practices in place will have less work to do than those that don’t.
It will also be easier for organisations where legal, IT and audit teams are already used to working closely together. In these cases, there’s likely to already be an appreciation by senior management that protection of personal data is important.
Those organisations with a long way still to go may realise achieving full compliance by May will be difficult if not impossible. However, this should not mean nothing is done. Plans need to be put in place to get as much completed as possible before the deadline, and the remainder during the months that follow.
Forming a GDPR compliance team
One of the most important factors all organisations need to realise is that GDPR compliance is not simply a technology issue. Compliance requires input and effort from people across the business and a GDPR project team should include people from departments such as:
Legal: The regulations are complex and have an impact on many areas of operations. The legal team will be invaluable in assessing how it will affect the organisation and communicating this to all staff.
Marketing: These teams are likely to be collecting and using customer data in myriad ways, so getting them involved early in the process is vital.
IT: Reviewing data stores and security measures is an important component of GDPR readiness. The IT team needs to be aware of the implications and required steps.
Business units: All business units that handle customer data should also be consulted. They will understand how data is being used and from where it’s being sourced.
Progressing toward compliance
With only very limited time to achieve compliance with the new regulations, it is a matter of setting priorities and following them.
A first step should be the formulation of a comprehensive plan that covers all parts of the business and details all the steps that need to be taken. These steps should include:
- Set up clear lines of communication with all parts of the business to fully understand how data is being collected, where it is being stored, and how it is being used. All subsidiaries and third-party suppliers must be included in this process.
- Create a clear and comprehensive catalogue of all customer data being retained across the organisation, noting its sensitivity and applicability to the GDPR rules.
- Gain a thorough understanding of data flows, both within in the organisation as well as to and from external parties. It must be protected at all times.
- Put policies in place to ensure proper deletion of data once it’s no longer required. Old data stores pose an unnecessary risk for the organisation.
- Understand consent and ensure customers are aware of when and how their personal data is being collected and used.
- Realise that GDPR compliance is a task that is never fully complete. As companies grow and change their situation will have to be constantly evaluated and reviewed.
The importance of effective security
Alongside the structural and organisational shifts that will need to happen across an organisation, putting in place effective data security measures is a further vital step. Thankfully, these are unlikely to differ significantly from the measures that are probably already in place to protect other types of sensitive data. They include:
Access controls: Having effective access control should be a top priority. By ensuring only those people who need access to personal data actually have access to it, the risk of breaches can be significantly reduced. Adding encryption to stored data can further increase this protection.
Anti-malware tools: Just as these are used to protect many parts of an organisation’s IT infrastructure, so they will be important when it comes to GDPR, assisting to reduce the potential for external threats that could compromise the stored data.
Logging: Put in place mechanisms that allow all activity to be logged, including what data is accessed, when and by whom. This will provide an audit trail should issues occur in the future.
Reporting: The organisation will need the ability to demonstrate to authorities what security measures are in place and how effective they have been. Regular reports will aid this process.
The constraints imposed by GDPR can seem onerous and a significant impost on day-to-day operations. However, with comprehensive planning and thorough implementation of required changes, compliance can be achieved with a minimal impact to operations.
Article by Zscaler's vice president of Asia Pacific and Japan, Scott Robertson.