Embedding GDPR and Data Protection in your organisation
It’s been 8 months since the EU General Data Protection Regulation (GDPR) came into force, and organisations are becoming increasingly aware that GDPR is not a one-time project.
Understanding the detail and implications of the GDPR is a daunting task, and some companies might still feel that it is easier to bury their head in the sand rather than to invest the necessary resources to achieve GDPR compliance. However, failure to comply with the GDPR leaves organisations open to substantial fines. According to the ICO (Information Commissioner’s Office), this could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).
Based on our experience, it is becoming clear that there is no ‘one size fits all’ approach to GDPR. However, there are a few common steps that all organisations should go through when embarking on the journey to GDPR compliance*.
Step 1: Understanding the GDPR articles
The inevitable first step in GDPR compliance is being aware of and understanding the key GDPR articles. There are many useful information sources out there, but a good place to start is the ICO website. The most important at the outset is Article 5, which sets out the seven key principles of GDPR: Lawfulness, Fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality (security), and Accountability.
Compliance with these key principles is therefore an essential part of achieving good data protection practice.
Step 2: Conducting an Information Audit
In order to ensure that you are protecting your information according to the seven key GDPR principles, you first need to conduct an information audit so that you know exactly what information you hold. As part of the information audit, each organisation will need to look at how they collect, process, share, store and delete data.
Step 3: Creating an Information Asset Register (IAR)
Many organisations associate assets with IT equipment such as laptops and servers (i.e. physical assets).
However, it is crucial that organisations also keep a record of their information assets, to ensure that organisations understand what these information assets are, who are they shared with and how these assets are classified (e.g. OFFICIAL, SECRET, TOP SECRET etc).
An Information Asset Register (IAR) is a centralised repository which contains details of all the information assets held by your organisation. This can include physical assets (such as paper files) and electronic assets (such as spreadsheets) and includes a record of the data being held, and how you store, process and share it.
It is important to know and fully understand what information you hold in order to protect it and be able to exploit its potential. Therefore, creating an IAR is a vital first step to protecting your information assets, as required under GDPR.
Step 4: Data Flow Mapping
Another important step towards GDPR compliance is to understand how information moves through your organisation.
Expanding your IAR to include data flow mapping can help increase the visibility of data flows, which can reduce the risk (and magnitude) of data breaches. In the unlikely event of a breach, an organisation would be able to ascertain exactly what data had been compromised and take the necessary action to ensure that the breach is contained (thereby reducing any further financial or reputational damage).
Following steps 1 to 4 outlined above will not only assist your organisation with protecting its data, but it will also demonstrate to auditors and regulators that you have taken the necessary steps to protect the information that you hold.
How Technology can help….
Whilst it is possible to create and maintain your Information Asset Register (IAR) using spreadsheets and word documents, the real challenge comes from keeping the asset register up to date and ensuring a consistent quality of data. This challenge will only increase as data volumes grow, meaning that increasing numbers of organisations are looking for tools to automate this process. We believe that investing in an online IAR is vital to reducing the ongoing costs of information governance, improving data quality and proactively managing your information risks.
Many of our customers have been looking for a tool to help them align with the major GDPR principles. CoreStream’s Information Asset Management software (IAM) provides organisations with an online Information Asset Register to manage the end to end asset life cycle. It enables organisations to identify, understand and manage their information assets and flows, as well as any associated risks, breaches and actions. Our platform is intuitive, flexible and can be configured to meet our customers’ individual needs.
For further information on CoreStream’s Information Asset Register software and Data Flow Mapping capabilities, please visit our website. Alternatively, if you would like to request further information about our platform or arrange a demonstration, please contact Sophie Lis (firstname.lastname@example.org).
*This guide is purely for guidance purposes and does not constitute legal advice or legal analysis.