Having caused IT teams – and indeed businesses – turmoil throughout the past number of months, the dreaded General Data Protection Regulation (GDPR) enforcement deadline is now just days away from implementation.
As most are well aware of by now, failure to comply with the impending regulations could land a company with significant fines of up to 20 million euros, or four per cent of its worldwide turnover, depending on which is higher, leaving many IT staff sweating over their final minute preparations and the remaining obstacles.
Current state of compliance
So what is the current state of compliance in the UK? Some of the most recent findings suggest that nearly half of businesses expect to be subject to fines for not being prepared.
Whether the reality of the GDPR is quite this severe is questionable, however. Whilst the deadline does mean that companies will start to be fined for non-compliance, the GDPR should be no means be seen as an endpoint. Even after the deadlines, organisations will need to keep constantly updating their systems to comply with the regulation.
With that in mind, here is a final checklist on what to be aware of ahead of the deadline, outlining the most crucial aspects to look out for, and last-minute solutions to become GDPR compliant.
Conduct end-to-end data inventories
First off, a company-wide data audit is necessary to identify every location where sensitive personal data is either located, processed, stored, or transmitted.
In doing so, IT teams should be able to identify and classify personal information more effectively. Once this is achieved, appropriate management of access privileges should be applied, and unnecessary data should be deleted to ensure compliance with the regulation. Fundamentally, this should include all data systems under the control of the business, such as emails, databases, applications, SharePoint and other collaboration systems.
Data sharing and processing
A crucial component for the GDPR – the way data is shared and stored within organisations – will be one of the areas under the most scrutiny. Appraising current systems in place which hold personal data of employees and customers is a must, both pre- and post-deadline.
Most data systems will have been created before the existence of GDPR, so data privacy and protection may be viewed as add-ons rather than integral features. Post-regulation, this will no longer stand as an excuse. Organisations must look at the way data is stored from public-facing websites, customer relationship management systems, direct marketing systems, the corporate intranet and other directory solutions that provide authentication to various data sources.
Ensuring staff training
Staff awareness will be a vital component for compliance when the regulation applies in a few weeks. If not already implemented, training on data protection, the requirements of the regulation, and the rights and freedoms of data subjects should be offered to employees. A simple but thorough do’s and don’ts should suffice for this, as well as tasks to ensure data protection for all subjects.
Even if an IT team implements all the necessary systems in the world ahead of GDPR, all it takes is one employee, unaware of the requirements, to cost your business big.
Archiving and backup
Archiving tools can help offload less frequently used data into alternate systems, thereby reducing the volume of unused data in production systems, yet still provide a mechanism for authorised individuals to access relevant data in their day-to-day work.
The systems will need to be compliant with GDPR, however, and include the ability to discover personal data on a subject under request and rectify any incorrect data. Organisations must continue to follow best practices for backup, but the GDPR potentially increases risk depending on how backups are taken. An integrated archive and backup strategy is essential to ensure that only a single instance of data is stored for both.
Moreover, cloud-based archiving and backup solutions may offer some advantages here because of their speed of implementation, a particularly important consideration.
Watch out for data classification
Mission-critical corporate systems, which hold personal data in structured formats, are much easier to understand in terms of data protection than the mass of unstructured data and unsanctioned applications. Classification tools can offer an automated method for analysing all data stores and sources in the organisation, identifying personal data and classifying information where necessary. This also extends to difficult-to-find data locations such as copies, exports, backups, and shadow IT cloud services that employees are using.
Data classification tools map what personal data is actually in place across the organisation, so that appropriate mitigations can be developed. Another important consideration is the selection and use of review tools that will help decision makers to sift quickly through large volumes of information.
Data Loss Prevention (DLP)
DLP tools analyse flows of data within emails to identify the presence of personal data using pattern-matching, and other advanced forms of identification. Given a situation where personal data has been identified, and the necessary protections are not in place, DLP tools can help block or quarantine that data from reaching anyone else. Fundamentally, the tools help prevent the most common and frequent type of data breaches: employees sending data that should be protected in an unprotected form, or to people who are not authorised to receive it.
Encrypting your data
Finally, encryption as a preventative measure should not be underestimated. Encryption is specifically mentioned as a data protection measure within the GDPR framework, as breaches are often avoid where this measure is in place. Encrypting data adds a strong level of data protection, using mathematical codes to scramble characters, making it impossible for potential cyber hackers to decipher in any meaningful way. Only when a user has access an encryption key can the data then be comprehended in a meaningful form.
Whilst timing may seem to be of the essence for businesses to get with the GDPR programme, it certainly should not be viewed as a final destination. It is true that when GDPR enters into force businesses will be subjected to significant fines for non-compliance. Yet, with the right awareness of what to look out, as well as solutions that can be implemented, it is still possible for procrastinators to overcome the GDPR and ensure their organisations are compliant.
Jim Liddle is CEO of Storage Made Easy
- What is GDPR? Everything you need to know in our handy guide