Businesses and organisations are preparing for the requirements which will soon be imposed through the enactment of the European Union's General Data Protection Regulation (GDPR).
In this blog, we share five key questions organisations can ask about the EU GDPR to start preparing.
Companies and public governments will need to comply with the EU GDPR if you process personal data in the context of selling products or services to citizens in EU countries as well the UK. Even if your company operates outside the EU, but offers products and services or even monitors the behavior of EU data subjects, you will need to comply with GDPR.
Are you able to measure and demonstrate compliance with the GDPR?
By measuring your organisation against the GDPR requirements, the organisation will gain the necessary assurance on whether it complies with the GDPR, highlighting areas of weakness and better prepares your organisation to plan and budget for remediation.
Do we have the processes and resources in place to support access requests from individuals to delete data in accordance with the GDPR?
The GDPR introduces more stringent requirements for the retention and processing of private and sensitive data. It is imperative for an organisation to have the correct policies and procedures in place to handle data in the principles set out in the GDPR.
Do we have the right level of consent and have we updated our data privacy notices?
The safety of minors online and the right to process or store sensitive or private data are key drivers of the GDPR. Transparency in how sensitive or private data is retained or processed and gaining the lawful authorisation to do so are key areas of focus for the GDPR.
Are prepared for a data breach?
Having the necessary technical or administrative security controls in place to secure private or sensitive data and the ability to respond to suspected data breaches in a timely and correct manner will prepare your organisation to respond to most cyber attacks.
Do we have up-to-date records of all data processing activities?
An accurate and up to date inventory of organisational assets used for the processing, retention, and transmission of private and sensitive data not only ensures compliance with the GDPR but also provides a holistic view of all critical assets and business units involved in the processing, retention, and transmission of private and sensitive data.
Do we incorporate privacy by design into our technical systems
Nothing is more permanent than a temporary fix; this is why security best practice should be incorporated by design. By including the appropriate security controls at project inception, your organisation will ensure that all new systems and services are provided securely from the outset and that the cost of retrofitting security controls after go-live is vastly reduced or even eliminated.
An understanding of your readiness towards the GDPR will enable you to plan and direct resources to address any gaps, reduce costs and increase organisational efficiency. If you‘re having trouble answering any of the questions above, a trusted GDPR expert like CIPHER can help you with compliance readiness. Check out our detailed guide to the GDPR below or contact us for GDPR readiness services!Clive Boonzaaier is the Technical Director for CIPHER UK.