Following the recent high profile exploitation of personal data involving Facebook, Cambridge Analytica and Dr Kogan, there is one inevitable outcome of this incident...
It will add even more weight behind the demands for greater protection of personally identifiable information (PII) and enhancing the rights of data subjects.
From a government position, the imminent arrival (65 days and counting!) of the GDPR (General Data Protection Regulation) and the passage of the Data Protection Bill through UK Parliament could not be better timed.
Both will place extra demands on any organisation processing personal data and, in the current political climate, I can only see greater enforcement with larger fines and more director accountability.
The key question is; what should your business be doing to improve your data protection and management?
Hopefully, by now, you have embarked on your GDPR compliance programme and have undertaken a gap analysis, compiled a prioritised action plan and are working through your ‘to do’ list in a joined up manner with colleagues in other departments.
If this is not the case, you’ve still got time to significantly improve your compliance position - if you act promptly!
It is clear from all the organisations we have worked with that this is not a ‘one man job’ - data protection is everyone’s responsibility.
A key player in any data protection programme is the information security manager. Whilst only one of the six GDPR principles directly refers to security, an integration of privacy information and security management systems is the most effective way of ‘demonstrating’ accountability and governance.
Additionally, integrating information risk assessments and privacy risk/impact assessments is quite simply a ‘no brainer’.
Training, training, training should be your mantra – tell your teams the behaviours you expect of them and why. They need to understand what personal data is in the context of your organisation and what the data protection principles are.
Everyone in the company needs to have a fundamental understanding of what the GDPR means to you, what you have done to address it and what your expectations of them are.
Have you been clear with your suppliers about what you expect of them and, in particular, how you expect them to handle/manage the personally identifiable information you are sharing with them?
Have you looked at contract clauses? Have you assured yourself that what you are asking of your suppliers is being delivered?
These are just a few questions you should be asking. Many organisations have been overly focused on internal issues, and have neglected looking outside to ensure suppliers are meeting their expectations and requirements.
Delete, purge, cleanse! If you don’t need it, don’t keep it. Treat the GDPR as your new broom – look hard and fast at your PII retention schedules and policy, and once you have reset your data retention policy, stick to it.
These should be written in clear and plain language, free of charge and be concise, transparent, intelligible and easily accessible. They must explain to people how you process their personal data. Do yours?
For further reading, take a look at Ultima's white paper to assess the impact of the GDPR, primarily from an IT perspective - examining the role that IT can, will and has to play in the implementation of the new requirements.
- By Lisa Dargan
(Business Development Director, Ultima Risk Management)