GDPR - Don't let them scare you! Read This

By now if you don't know what GDPR is, then this blog post is not a primer, and I'd suggest you follow this link and read up pretty sharpish, then come back.

For those of you who do know what GDPR is, then this post won't give you all the answers. I do hope it will give you the confidence to do what you have to do, without losing too much sleep, and being scared witless by the sheer volume of scaremongering there is about GDPR that's around at the moment.

The noise of massive fines makes startling headlines, even though the ICO already have the power to fine organisations up to £500,000. Which for many SMEs could be just as crippling as the possible GDPR fines. So, telling us fines imposed under GDPR could be as high as £17 million, or 4% of turnover, probably doesn't make much difference.

Besides, the ICO only use fines as a last resort, and they are committed to working with organisations to ensure that they put the consumer and citizen first when it comes to data privacy. Just like the Data Protection Act, using GDPR the ICO has a suite of sanctions to help organisations comply, such as warnings, reprimands, and corrective orders. I would suggest these are the measures they would use first.

All that said, if you are already complying with the requirements for the Data Protection Act 1998 then you already have an effective data governance programme in place, then you have a great foundation for GDPR.

If you don't comply with the DPA, then don't worry the ICO have some great guides to help you prepare. Their 12 steps to take now document, will help you to structure a programme to get you through the GDPR implementation.

GDPR isn't just about IT Security either, in fact the "IT technical" bits in the GDPR only account for a small percentage of the regulation, about 4%. This really is a business issue, and should be led by the business, and supported by IT.

GOV.UK has a Security Scheme called Cyber Essentials, to help organisations protect themselves against common cyber attacks. Using this scheme to help you navigate what needs to be done to sure up your security controls.

What I'd suggest is that you should familiarise yourself with GDPR, or work with someone who already is familiar, but don't let them scare you. Read the ICO's blogs, and preparation material first. Then have a plan. Using the 12 steps to take now guidance, you should be able to breakdown what needs to be done into simple manageable steps.

Most data breaches or security incidents are a result of poor employee awareness. Have a good training programme in place to ensure your teams are aware of your security policies and procedures, and have an understanding of the new GDPR principles and how to apply them.

There are a range of requirements in the GDPR, and in my view most of them boil down to managing risk, and so a well thought out and developed risk management process is an absolute essential tool.

Here are tips for risk management and GDPR implementation:

One, Awareness - know and understand what data you have:

Audit and document all of your data assets.
Map your data to your business processes.

Two, Risk - understand the risks you face

Run a risk assessment against your business process and the data they use.
Document the business impact.
Produce a risk treatment plan, that's how you're going to deal with the risks.

Three, Gaps - know where you gaps are:

Using the information from steps one and two, identify the control gaps you have.
Fill the gaps.
Get management approval for your plan, and document - conversations aren't evidence.

Four, Improve - monitor and improve:

Repeat steps one, two and three at least annually

While performing your risk assessments you should consider the following:

Why are you processing personal data?
Who is processing the personal data?
What personal data is being processed, the types of data, its source, and on what legal basis?
When is it processed, where did it originate from, when is it updated, how long is it retained?
Where is it processed?