In May 2018, all organisations operating with and within the EU will have to comply with the new General Data Protection Regulations commonly referred to as GDPR. This is a directive from the European Union to ensure that all humans (consumers) have control over their own data and fully understand how their data is being used by companies and institutes they interact with.
If you are an organisation (of any sort, cause, type of operations) this will affect you. If you deal with people in any professional capacity, then read on. There are different ways that organisations gather data. Data are for your own employees, Human Resources and Payroll aspects; data for your customers such as Personally Identifying Information PII (name, date of birth, address, etc..) or Protected Health Information PHI (medical records, biometric data, social security / national insurance details, etc..). For you to be compliant with the standards you must ensure that you understand the regulations in its different aspects. What I know so far is the following:
A good starting point for you as an organisation is to start now (if you have not done so yet) with a gap analysis. You can perform a comprehensive gap analysis in various ways using various resources. One good website is the Information Commissioner’s Office. The gap analysis is in the form of self assessments covering all the areas that GDPR applies to:
- You as an organisation are a Data Controller: this is an area that would assess your security levels and how you deal with breaches. The areas that you need to consider are policies you have in place for data protection for adults and children, dealing with consents, information asset register, lawful basis to processing data, right to inform, rectify and restrict processing of information. This is not an exhaustive list but a sample of what you would tap into.
- You as an organisation are a Data Processor: this is an area focuses on the data breaches that take place and the availability of a framework to deal with them. The areas (some of and not an exhaustive list) you need to consider are data breaches, right of access, right of rectification, right of data erasure and restricting data processing.
- You as an organisation have Information Security in place: this is an area that I believe can be highly supported if you are ISO27001 compliant. Some of the areas are access control, remote working, malware protection and your employees’ awareness.
- You as an organisation Manage Records: this area covers the company’s record management policy. It goes into record creation, storage, disposal, tracking and off-site storage. Whether it is retaining the personal data or having digital records systems (commonly known as case management systems CMS and customer relationship management systems CRM), you as an organisation should have policies in place for records management.
- You as an organisation operate with Data Sharing and Subject Access framework: this area is about data sharing policies and monitoring compliance. It covers maintaining sharing records and dealing with subject access requests. A good way to understand this is mainly your Governance policies to data protection.
There are 2 other areas which I have not tapped into yet as they are not relevant to our context as an organisation are the use of CCTV and Direct Marketing.
What the new regulation is saying is that a company must appoint a data protection officer and have a records management lead. This is basically to have management commitment to responsibility and accountability.
Are you currently involved with GDPR? what is your understanding and what areas are you most involved in? Share your comments below.