So, if you haven’t started planning for GDPR yet, where on earth do you begin if you don’t know your cyber hygiene from your data mapping?
Rather than present you with another “Seven steps to.... ” list, let’s instead take a look at what an organisation that’s in good shape might look like:
1. Every employee understands enough about GDPR and what their personal responsibilities are.
It’s about doing everything you can across people, process and technology to create an environment in which data is kept under control. So, it’s important to nurture a culture where everyone understands the role they play and how it impacts the organisation’s risk posture. Make it a mandatory part of job roles, the company’s induction processes, regular development plans and regular reviews. Ensure that employees feel comfortable reporting a data breach or near miss without fear of reprisal.
2. The business accepts that things will, at some point, go wrong and knows how it will respond at that time.
As an example, you’ll have seventy-two hours in which you must notify authorities of first becoming aware of a potential data breach. You won’t have time to create an Incident Response Plan (IRP) from scratch , so build templates, assign ownership, print out hard copies of your IRP in case your IT systems have been compromised. Plan for a variety of scenarios, as you would if you were unable to occupy your premises or access any information. Lastly, make sure your IT disaster recovery planning adequately reflects the potential situation.
3. It sees the opportunities that GDPR presents.
Having a robust business that’s in control of its data is actually a fantastic sales and marketing tool in itself. Make sure that you talk to your clients about the efforts you’re putting in to protecting their data. Use it to start new conversations with prospective clients and win business off the back of it. As we’ve seen with the Cyber Essentials scheme, it’s only a question of time anyway before the supply chain mandates that you’ve demonstrably taken this seriously – it’s their reputation at stake too. Going through the GDPR exercise also often presents a great opportunity to streamline areas of how your business operates and uses data.
4. It is clear who is responsible for their data privacy and integrity.
This is simple but often overlooked. Ensure you classify your data (what, who, why, where) and the levels of access and security against it. This extends to your suppliers and partners too, so ask questions of them. It is as much about governance as it is about security. This means understanding the value of the subject information you collect. GDPR swings the pendulum firmly towards the citizen and away from the organisation when it comes to privacy control.
5. They have clear processes and procedures, and regularly test them.
Think about having a fire warning system that you never check, a fire extinguisher that’s never been inspected or an emergency evacuation procedure that exists on paper, but has never been put to the test. It just wouldn’t happen, right? This is why Forfusion promotes risk mitigation approaches inspired from Best Practice in other areas, and using them to shape how we treat business issues such as GDPR and Cyber Security in general.
6. They seek help at appropriate times.
Unless you are a very large or an enterprise business, you’ll almost certainly struggle to grasp all of the details around GDPR or build full capability yourself inside our business. Make sure you choose a partner wisely, ensuring that their knowledge of data governance and information security is as strong, if not stronger, than their technical capabilities.
Experience tells us that organisations that have not taken this new regulation seriously are the ones most likely to suffer the stiffest punishments. Please don’t leave it until it’s too late!