Expert insight: The GDPR survival guide

By Liam Butler, AVP at SumTotal, a Skillsoft company

GDPR aims to bring basic human rights of privacy and security to the forefront of the modern business world.

The new regulation obliges businesses to take data protection far more seriously than ever before, primarily because their reputation will rely on it. GDPR might feel like a maze of compliance rules: what does it mean exactly? What are its principles? What are the best ways to ensure compliance? Below, we look to demystify these questions.
 
Why do we need GDPR?
Previous legislation was enacted long before the sophisticated technologies of today were invented. In 1995, for example, data was at far less risk of exploitation because things like cloud technology and mobile connected devices simply didn’t exist—or at least not in the same capacity as they do now. The EU enacted GDPR to develop a greater sense of trust in the emerging digital economy by bolstering protection, for both individuals and businesses, based on the latest technological capabilities available. But, also, to give organisations a more straightforward legal framework in which to operate by making the protocols identical throughout the region.

See also:

• Expert insight: Why businesses must re-educate on cybersecurity policies
• New cloud-based platform part of Volkswagen's €3.5bn digitalisation investment
• Read August's issue of Gigabit Magazine

GDPR gives legal structure and greater protection to citizens in the wake of the rapid advances in technology and data usage since the last century. The “information age” is aptly named—nowadays data is collected on an unprecedented scale that could not have been foreseen even just 20 years ago. It is also valued, traded, and manipulated in similar ways to global currency – making it ideal and highly prized to those with nefarious intentions. This data explosion has undoubtedly helped commerce prosper in the 21st century, but it has also given rise to countless risks and opportunities for serious breaches. In this era, data is just as likely to be abused, as it is to be legitimately used. Indeed, as research from the Breach Level Index demonstrates, over nine billion records have been lost or stolen since 2013, of which “only 4% were ‘secure breaches’ where encryption was used and the stolen data was rendered useless”. This figure equates to 59 records being stolen every single second. It’s because of this worrying statistic that GDPR has been drafted.
 
The seven core principles of GDPR
1. The data controller(s) must show that an organisation’s data processing remains in line with GDPR principles at all times. Furthermore, it must be clearly demonstrable to Data Protection Agency inspectors that an organisation is doing everything it reasonably can to comply.
 
2. Accuracy demands that the data a company holds on file about an individual should be entirely accurate and kept fully up-to-date. Any inaccuracies or outdated information should be amended (or deleted, if appropriate) in a timely fashion. GDPR asks “every reasonable step” be taken to achieve complete data accuracy.
 
3. Minimisation means that data collected should be adequate and limited to what is absolutely necessary in order to perform the task the information is intended for. Using information to perform extra tasks outside of original intended purpose (without asking the data subject first) would contravene GDPR’s notion of consent.
 
4. Integrity and confidentiality is the ‘individual principle’. Data processing must assure the security and privacy of the data subject at all times. In other words, a company’s network security should be sufficient enough to assure the privacy of the data subject’s information. In the event of a breach, the company must inform all affected individuals using an appropriate breach notification procedure. Notification must be carried out within 72 hours of becoming aware of a breach.
 
5. All personal information should be processed lawfully. Lawfully can mean (but is not limited to): in accordance with a contract or legal obligation; the processing of data is within the public interest; data processing is in the controller’s legitimate interests, such as preventing illegal activity or a breach. Moreover, personal data should be processed fairly and transparently. It should also be easily communicated to the data subject if they request. Controllers have a window of roughly one month to respond to a subject access request.
 
6. Personal information collected by an organisation must have a lawful and legitimate purpose behind it. Superfluous information that has no specific function – for example ‘extra’ data that is used to formulate a more detailed picture of individual consumer habits or preferences – would constitute as illegitimate. Additional processing tasks that are incompatible with the original intended purpose would constitute as unlawful without further permission or consent from the data subject (as per the minimisation principle).
 
7. Storage limitation asks organisations not to hold personal information for longer than is absolutely necessary or outside the purposes for which it was first collected. Data destruction should be safe and secure.
 
Must-have tips for compliance 
With an understanding of the above principles, you can create a solid framework for GDPR compliance. Below are the essential tips that your organisation should implement – if it hasn’t already.
 
Suspend all non-compliant data collection and begin acquiring legitimate consent
As discussed, ‘conscious’ or ‘legitimate’ consent is the main theme that runs through the entirety of GDPR, therefore acquiring it should be everyone’s top priority. It can no longer be assumed that an organisation is gaining consent from the data subject, it must be made absolutely clear to them what’s happening with their data and why. This task may sound labour-intensive, but it need not be. Targeted use of technology can make this process much easier.
 
Identify and log all current data
Thorough internal audits of an organisation’s current state of affairs should feature prominently on a list of priorities. Without an understanding of what data is held, you cannot begin to implement data handling and storage procedures that are genuinely effective, let alone compliant. Entire companies should be assessed to reveal the extent of personal and sensitive personal data held on file. These discoveries should then be categorised and documented accordingly, with any remedial actions required being noted down. 
 
Review current data practices 
Once you know what, where, and why you have the data that you do, you will then need to ask yourself if current governance practices are sufficient enough to comply. In most cases, changes will be necessary to comply with the more stringent rules of GDPR. 
 
Create or redesign company literature 
GDPR is about individual empowerment and company literature should therefore reflect this. Consent cannot be properly granted under GDPR if the data subject is unaware of their full rights. Therefore, redrafting of company documents should be done if the rights of the individual are not clearly communicated throughout, and privacy statements should also be updated.
 
Appoint a DPO
GDPR recommends that businesses appoint a DPO, who is well-versed in data protection law, to ensure that both controllers and processors are adhering to regulatory measures put in place by the business (some entities will be obliged to appoint a DPO due to the sensitivity of the data they process). Some organisations may see this as an unnecessary appointment, but the peace of mind that a DPO provides cannot be overstated. DPOs will help guide businesses through a new and unprecedented approach to data protection, and also help to train and prepare staff properly. 
 
Organisations should view GDPR as an opportunity to get their data security in order and as a chance to improve their brand reputation. Rather than a red tape regulation, it is as a much-needed opportunity to make data security a top priority and adopt secure data handling practices.