GDPR – 3 Years and Counting!

Back in May 2018, the new Data Privacy Law was introduced to Europe and over that period several high-profile companies have fallen foul of being compliant. It seems strange to say that people seem to have lost the focus that was around in 2018, but with Brexit has come a wave of new changes to the law, and companies more than ever need to review their data management policies and practices and stay on top of being compliant.

GDPR is probably the most immediate big-ticket regulatory item for most organisations operating in Europe, and it is hard to see how an organisation can meet the requirements of GDPR without having effective data management in place. If an organisation isn’t on top of what data it holds, where in the world it is stored, when it was created, and how much longer it will be held, they will struggle to meet the regulatory requirements. When an organisation receives a Freedom of Information request, where does it begin? Hopefully not by going to the central on-premises SAN - which is where the last data management exercise from 10 years ago says the information will be; trusting that there isn’t a database copy on a shadow IT cloud app hosted outside the EU which doesn’t match the central version!

This kind of shortfall can be addressed with relatively simple data management measures: understanding your data and hierarchy, establishing metadata tagging, and keeping control over the data throughout its lifecycle. The procession of high-profile cases of data misuse and mismanagement, from Edward Snowden to Cambridge Analytica, suggests we are at the thin end of a regulatory wedge. If that is the case, establishing and maintaining best practice data management will become increasingly essential to any business that wants to avoid the potentially crippling fines and reputational damage of regulatory breaches.

The growth in regulation is in part a response to the increasing information security threat, which is becoming at least as much about data management as it is about cybersecurity. Cybersecurity measures tend to focus on protecting an organisation’s IT against malicious external actors, rather than the growing insider information security threat. Effective data management offers the greatest protection against information security threats. For example, inadvertent or malicious data misuse by employees and agents is growing to the point where organisations at the greatest risk may need a zero-trust model as part of their data management strategy. With zero trust, any actor – even an administrator – is regarded as untrusted until they can prove authority and specific business need to access particular data. Again, such a strategy requires comprehensive and clear-eyed management of data from cradle to grave.

So, what to do next? The one thing that you cannot do, is do nothing - unless you want to make the latest fines list of the ICO. Firstly, please take a look at the latest guidance from the ICO on the GDPR changes and understand how they will affect your organization. Next, look at the policies you have in place, and make sure that they are still fit for purpose. If changes need to be made, then a plan needs to be put in place to update the policies and processes, and then this needs to be implemented. One key point here is to ensure that any changes are clearly communicated to the whole company as everyone has a responsibility for compliance and this gives people chance to question any of the new rules. Finally if you have discovered that you have strayed from the data management path and have lost control of your data then this is a good chance to go back to basics and look at your data management strategy; my previous blog could help you there. As previously stated, you cannot do nothing, but if you are unsure where to start, please get in touch today.