The GDPR regulation is ultimately about good data/information management and governance. Though many organisations acknowledged previous iterations of data protection regulation, GDPR demands that everyone step up their game and take responsibility or face severe consequences. The innovative use of technology aligned with the data handling processes and procedures will go a long way to achieve and maintain GDPR compliance.
Compliance with GDPR has strong data governance at its foundation.
Data governance should have executive ownership at its core and necessitates strong commitment is communicated and actioned. It involves auditing and risk management where data is identified, classified and managed in a controlled manner. Technology can inevitably be used to automate and scale this process especially where data volumes are extensive.
Data analysis and classification
One of the early steps on the GDPR journey is the analysis of data that is held, and identification and tagging of personal data. Organisations may hold a combination of structured and unstructured data, oftentimes data is held in multiple locations as multiple copies of records are made. Once identified, organisations will need to tag personal data and link pieces of data together that relate to the same individual. Systems will then also need to manage the consent element of GDPR enabling all data being held to be collated in accordance with access and consent requirements of GDPR.
Data management and security
Systems need to be in place that manages data quality throughout its lifecycle. Data location needs to be accurate, duplicates need to be detected, records need to be accurate and should be updated including corrections, amendments and deletions when requested including backup copies which are no longer required.
To support the data security requirements, systems functionality need to be in place that manages data records including encryption, deduplication, backup, deletion and providing access to complete records in a transferable manner. Applications that manage the data also need to be secure ensuring
that user access policies are enforced, and users do not get access to data they are not authorised to. Manual processes are likely to be inadequate and therefore technology will inevitably need to be in place to support this requirement.
In a cloud environment, this will need to be provided by cloud providers whose systems are GDPR compliant. The organisation, however, will still be responsible for securing the data and policing user access irrespective of the cloud providers security controls. For an on-premise scenario, the organisation will have total responsibility for ensuring the systems are in place.
Breach detection, response and reporting
GDPR requires that certain types of breaches are notified to the relevant authorities within 72 hours of the breach occurring. The notification will also require details of the breach such as; how many records were accessed, mitigating measures to counter the breach, consequences of the breach, risks to the individual, categories of data breached. To fully comply with this requirement, organisations will need to have excellent cyber security protection mechanisms and controls in place. This will include at least the following components;
- Network Security to ensure only authorised devices are able to access the networks
- User authentication mechanisms to ensure only authorised users have access to systems
- Intrusion Prevention Systems that detect and block unauthorised network access
- Monitoring systems to identify and alert if unauthorised activities are detected
- Logging capabilities to ensure all activity is logged and the information is available to undertake a forensic investigation should the need arise
These are just a few areas where technology applied effectively will greatly assist with GDPR compliance. Implementing the above technologies may well require additional investment if the systems are not yet in place, or it may just be a case of fine-tuning and optimising systems that are already in place.
Inevitably changes need to be made if anything more than lip service is to be paid to GDPR. There is, however, a positive spin on GDPR because it’s not about preventing business but about handling data properly, which must be a good thing for all concerned.