Five steps to readiness for Global Data Protection Regulation

Designed to tighten, streamline and unify digital privacy laws across the European Union, the Global Data Protection Regulation (GDPR) is now close to implementation. Organisations that handle EU citizens’ data need to be prepared, according to data privacy firm Atos.

With last Thursday (January 28) having been declared international ‘Data Protection (Privacy) Day’, the onus is on company directors to ensure awareness and controls are baked into the very DNA of their businesses and permeate to every employee, says Atos. The firm is putting forward five recommendations to help organisations get ready for the new rules.

“Given the criticality of data protection compliance it’s important that not just technology processes are considered but also its integration with business processes and the information provision around it,” says Abbas Shahim, governance and risk partner at Atos. “Besides, it is obvious these days that poor cybersecurity is a threat to privacy.”

Some four years in the making, the EU agreed on the latest draft of the GDPR in mid-December. The legislation is a single law that applies to each of the 28 member states.

Who’s responsible?

GPDR applies to any organisation that touches the personal data of EU residents. That applies even if they’re based outside the region.

‘Personal data’ is an umbrella term that covers everything from a name or email address to photos on Facebook or Twitter. ‘Sensitive’ data, which covers items such as medical or financial details, require their own approach and companies need to make sure they are covered.

Among the duties and responsibilities imposed by GPDR:
• Organisations must have implemented adequate measures to protect personal information they are allowed or instructed to process.
• Breaches need to be reported to data protection authorities immediately they are detected.
• A data protection officer needs to be appointed to deal with the authorities.
• Failure to comply with GDPR could result in fines up to 5% of a company’s global annual turnover.
• It is an employee’s mandate to be compliant when processing sensitive citizens’ data.
• Get processes in place now as a daily process

Countdown to compliance:

In order to be ready for GDPR, Atos recommends that companies take the following five basic steps:

1. Understanding data governance:
> Ensuring that data is good quality means knowing the source, which system or app it is held in and whether it is complete and accurate.
> Where third parties are involved, ensure there are clear agreements on storage, use and ownership of the data.

2. Design a gap analysis:
> Organisations will already have a system of controls around privacy. With the new legislation, they should map out where their existing framework overlaps and where controls need to be expanded and/or improved in order to comply.

3. Design and implement controls:
> Once gaps or weaknesses in the compliance process have been identified (for example in HR or finance departments), organisations must design new controls to plug them.

4. Install encryption packages:
> This will help ensure the secure storage and transfer of an individual’s (suppliers, employees, clients and others) data.
> Note there is still risk potential if individual uses that data for unauthorised purposes.

5. Proving compliance and traceability of information
> Prepare for queries from compliance auditors.
> Worth consideration is bringing in a third party to play quality assurance ahead of any audit to advise on how to prepare (a service that Atos offers)

“Organisations must have a complete picture of the data in their custody to be able to protect personal data and demonstrate compliance to clients, consumers and business partners,” says Patrick Nolan, senior vice president (SVP) and chief operations officer (COO) at Atos in Benelux and the Nordics.


Related reading