The deadline for complying with the General Data Protection Regulation (GDPR) has come and gone. You've done your compliance assessment, made the necessary updates to your processes, policies and technologies, and may have even appointed a Data Protection Officer. You’ve got all your ducks in a row.
Complying with the GDPR - and any other data protection and privacy law, for that matter - is a full time job. Like your IT security and IT policies, compliance isn’t like a rotisserie oven; you can’t just ‘set and forget’ it. Once the deadline for the GDPR has passed, you’ll have to put effort into maintaining your compliance.
Here are some tools, tips and techniques to help you maintain compliance with the GDPR.
1. Try Microsoft Compliance Manager
If you’ve got a subscription to Microsoft Azure, Dynamics 365 or Office 365 Business, you’ve got access to Compliance Manager.
Compliance Manager, according to Microsoft, is ‘a cross-Microsoft Cloud services solution designed to help organisations meet complex compliance obligations.’ This includes regulation like the GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA. Compliance Manager is packed with features, but key features that will help you maintain compliance with the GDPR include:
- Ongoing risk assessments which give you visibility into your evolving compliance status;
- The Compliance Score, a risk-based measure that ranks your compliance status against regulatory requirements; and
- Streamlined risk assessments for every regulation you have to comply with, plus the ability to assign, track and record compliance activities across teams (helpful if you have an overseas office).
2. Embrace privacy by design
Article 25 of the GDPR requires your policies and procedures to be developed with data protection in mind. This is referred to as data protection by design and default, or privacy by design.
If you want to stay compliant with the GDPR, you need to embrace privacy by design. Whenever you take on a new project - like building or implementing a new IT system, writing a new policy, sharing data with new clients or suppliers, or anything that involves processing, storing, or sharing personal data - you must make sure that:
- privacy and data protection are considered in the early stages of the project; and
- those considerations are kept in mind throughout the lifecycle of the project.
The Information Commissioner’s Office (ICO) recommends conducting privacy impact assessments (PIAs) to reduce the privacy risks of your projects. They’ve got a helpful guide to conducting PIAs, which you can find here.
3. Train your staff, and then train them again
Figures from the ICO revealed that human error is the leading cause of data breaches. That will be true for GDPR violations too, soon.
As Christian Mancier, data protection law specialist and partner at Gorvins solicitors, writes on Real Business:
‘Unless employees understand the legislative framework, the level of risk to their organisation (both reputational and financial) and how that affects what they do day to day, staff will never really fully understand the impact of their actions whilst carrying out their day-to-day tasks.’
This is why it’s important to educate your staff about privacy issues, and train them in cybersecurity best practices. It’s important that everyone understands how everyday things - like sharing passwords, sending data over email, or using outdated software - puts your business and its customers at significant risk.
If you’re stuck on where to start with training, check out this list of resources and courses in the UK.
4. Don’t forget about mobile
More than 80 percent of IT executives expect data accessed on mobile devices to cause GDPR violations, according to a report by Lookout.
It’s not uncommon for people to use the same devices for work and personal use, and to have access to company data outside the office. These days, most professionals rely on their phones, laptops and tablets to do their jobs.
So when you’re considering how to maintain your compliance with the GDPR, don’t forget about your laptops and mobile devices. Do they have up-to-date software with the latest security patches? Are your employees using cloud services or apps that haven’t been cleared by IT? Do you have the ability to wipe devices in the event they’re lost, or an employee leaves? Ask yourself these questions, put a solid mobile device or BYOD plan in place, and make sure everyone is familiar with your IT security policy.
5. Have all your plans and paperwork ready to go
Under the GDPR, you’ve only got 72 hours to notify authorities of a data breach. When you consider how much there is to do in the wake of a breach (think rectifying security weaknesses and notifying clients) that’s not a lot of time to work with.
This is why you need a data breach response plan in place. Have a template ready to document the breach, and make sure someone has been assigned the task of notifying authorities (like your Data Protection Officer, if you’ve got one). Draft a letter or email that you can send to clients, and put a checklist together to help you manage the response and reduce the risk of a fine (like the one we’ve got for recovering a hacked website).
6. Read IT security news
It’s worth staying in-the-know when it comes to IT security, even if you’re not an IT professional.
Knowing about the latest scams, breaches and cyberattacks will help you proactively identify and manage privacy threats and mitigate risks. Sharing news and articles about security incidents with your employees will also help raise awareness and remind them of the importance of privacy protection and security best practices.
If you’re not sure where to find reliable IT security news and updates, check out our list of 15 best (and most reliable) sources of IT security news.
Compliance is a marathon, not a sprint
According to Gartner, 40 percent of organisations will still be in violation of the GDPR by 2020. Even if you’re compliant now, you can’t afford to sit on your laurels and hope for the best.
Invest in training, be prepared for worst-case scenarios, and use tools like Compliance Manager to maintain your GDPR compliance. And above all, keep privacy in mind. Make it the cornerstone of everything you do. With that attitude, you can’t go wrong.