In the first of our three articles Agile provided a concise overview of the new GDPR regulations that will come into force on 25th May 2018. This second addition we’ll help you to review your current data security measures and plan any business critical actions in order to be ready.
Deadline: 25th May 2018
Affecting Who: All UK companies that hold “personal identification information”.
Affecting Where: All UK and European Union (EU) countries.
Affecting What: The “reasonable” measures you take to secure data and report breaches.
Whilst much focus will be aimed at reviewing data security, much of the advice is that businesses need to spend equal time to review their processes and protocols.
Larger companies should consider creating a cross departmental taskforce to review their actions, as IT alone will not hold all the answers. The key objective is to identify the areas of risk and then take the necessary actions to mitigate those risks.
In smaller companies, there may not be the resources to address the issues and therefore external resources or specialist consultants may be required.
The following is guidance on the areas of data collection and retention that your review should consider.
- What personal data do you collect/store?
Have you obtained it fairly and have necessary consents?
Were you clear and unambiguous about the purpose for holding that data?
Do you keep it updated or are holding it for any longer than is necessary?
Are you keeping it safe and secure using a level of security appropriate to the risk?
Are you limiting access to ensure it is only being used for its intended purpose?
Are you collecting ‘Sensitive Personal Data’and securing it correctly?
Are you transferring personal data outside whilst retaining adequate protection?
This provides a basic starter list as to information you should gather and review as a part of your overall GDPR compliance plan.
Where does “personal identification information” reside within your business?
Which databases hold the information and what security is and should be in place?
However does the data travel around or outside your business?
What security measures ensure it is protected at all times?
What protocols or processes are in place to avoid its loss or removal from the business?
Is that data duplicated elsewhere and are those copies protected to the same standards?
If after your review, you feel that any of these areas need to be improved then you should plan and timetable the required changes. Once any changes have been made then these should be tested and the results documented for proof of the actions undertaken to comply with the new GDPR standards.
Look out for Part 3 in which we’ll review the general and specific security measures available within much of today’s multifunctional, printer and scanner technology. Helping you to ensure that these too meet the needs of the GDPR legislation.
This article is for information purposes only and does not constitute legal advice. Therefore you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.