Snakes and Ladders
Snakes & Ladders …
David Parish – Information Security Consultant
“Treating individuals with respect”
It’s been a little while since my last blog on GDPR and information security.
I have been wading through the challenges from several sources that the new GDPR legislation potentially restricts business from operating.
This is not the case!!
This piece of legislation enables and requires companies, businesses to treat individuals with respect.
With less than 30 days until the GDPR comes into force you may be thinking the whole implementation is like a game of snakes and ladders. The board seems to have more snakes than ladders.
The GDPR academy 12 steps to compliance identify how you need to seek compliance by the 25th May 2018.
If you have followed the plan you will now realise that;
1. Your data mapping has unearthed some big snakes
2. Your staff awareness program has identified that data breech processes are not as robust as you may have thought
3. You have received increased requests from suppliers, clients about how you are approaching GDPR
4. Your resource allocated to the response is limited
All of the above are live issues that I have experienced and currently experience whilst providing ISO 27001 compliance and GDPR consultancy over the last year.
Let us remove some of the snakes
The information commissioner’s office (ICO) recognises that the impact on business of compliance by the 25th May is in some areas unachievable. Their consistent message is that if you are flagrantly ignoring the legislation you will ultimately receive higher sanctions than those businesses that are working towards compliance. The ICO recognise that the implementation is a matter of continuous improvement in data privacy. The clock does not stop on the 25th May 2018 as individuals become more aware and the publicity increases on data breaches and the enhanced rights the GDPR gives to individual’s people will expect and deserve businesses and companies to respect their privacy.
On the horizon is additional legislation in the pipe line EPrivacy which is due at the end of the year , the UK Data Protection Bill currently going through parliament to ensure that Britain is able to adhere to EU data protection law post Brexit.
Some steps that you can take to closing the compliance gap.
It is probably now that you take a risk based approach based on the ICO’s published guidance and adopts recognised risk management strategies, ISO 27701, ISO 3100 and additional cyber security certifications provide assurance in compliance with GDPR requirements.
Remember In all risk management scenarios there is an option to “do nothing!” If you adopt this strategy, you may feel it’s worth the risk until your customers and competitors start asking about how you protect their privacy, you will definitely miss a golden opportunity to streamline processes and potentially enhance your business strategy.
Risk based wins – Quick solutions
1. Update your webpage privacy notice
2. Create a fair processing notice (there is a check list on what to include provided by the ICO)
3. Review your data breach and data subject access request process. Can you make it one? (Internal process) to one managed mail box.
4. Identify your lawful basis of processing
5. Prioritise the contract that you need to review with suppliers. Drill down to identify who are actually processing personal data on your behalf
6. Devise a plan and document it to deal with data minimisation, retention and deletion. You will not be able to achieve all of this by 25th May.
Finally, document your thought processes and decision making, remember that the GDPR is focussed on individual’s rights and freedoms as is the current Data protection legislation. The GDPR requires you to be able to show transparency and accountability.
by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management