There’s no shortage of GDPR expertise in the UK it appears. A google.com search for “UK GDPR experts” returns in excess of 330,000 results, with many of these businesses seemingly offering conflicting approaches and roadmaps.
So, if you haven’t started planning for GDPR yet, where on earth do you begin if you don’t know your cyber hygiene from your data mapping?
Rather than present you with another “Seven steps to.... ” list, let’s instead take a look at what an organisation that’s in good shape might look like:
1. Every employee understands enough about GDPR and what their personal responsibilities are.
It’s about doing everything you can across people, process and technology to create an environment in which data is kept under control. So, it’s important to nurture a culture where everyone understands the role they play and how it impacts the organisation’s risk posture. Make it a mandatory part of job roles, the company’s induction processes, regular development plans and regular reviews. Ensure that employees feel comfortable reporting a data breach or near miss without fear of reprisal.
2. The business accepts that things will, at some point, go wrong and knows how it will respond at that time.
As an example, you’ll have seventy-two hours in which you must notify authorities of first becoming aware of a potential data breach. You won’t have time to create an Incident Response Plan (IRP) from scratch , so build templates, assign ownership, print out hard copies of your IRP in case your IT systems have been compromised. Plan for a variety of scenarios, as you would if you were unable to occupy your premises or access any information. Lastly, make sure your IT disaster recovery planning adequately reflects the potential situation.
3. It sees the opportunities that GDPR presents.
Having a robust business that’s in control of its data is actually a fantastic sales and marketing tool in itself. Make sure that you talk to your clients about the efforts you’re putting in to protecting their data. Use it to start new conversations with prospective clients and win business off the back of it. As we’ve seen with the Cyber Essentials scheme, it’s only a question of time anyway before the supply chain mandates that you’ve demonstrably taken this seriously – it’s their reputation at stake too. Going through the GDPR exercise also often presents a great opportunity to streamline areas of how your business operates and uses data.