The General Data Protection Regulation (GDPR) countdown is on and your business has until 25th May 2018 before it comes law. To help you ensure your business will become compliant and meet the legislation requirements, Gemalto is touring the country with its GDPR Clinic providing practical advice.
What is GDPR?
GDPR updates and modernises the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring stronger enforcement of the rules; streamlining international transfers of personal data, and setting global data protection standards.
What is the GDPR Clinic?
We’ve refitted a double decker bus to tour across the UK and provide you with demos on how to get GDPR ready.
How can I get involved?
The bus will start in York on 23rd May, before finishing in London at the largest European security event – InfoSecurity Europe – in June (6th – 8th).
Check out this map to see if the bus will be stopping near you and book a slot to see our experts. For anyone that can’t make it to the bus, we’d still love to hear your views, anonymously in our survey, on how far you’ve progressed with GDPR compliance.
What will I learn?
Our experts in Identity, Encryption and Key Management will take you through the six steps process to ensure compliance to GDPR:
Step one – Understand the GDPR legal framework
- Research and understand the legislation by doing a compliance audit against the GDPR legal framework
- Hire a Data Protection Officer – preferably someone with a legal and technical background
Step two – Create a Data Register
- Keep a Data Register that records the process of you becoming compliant
- Each country has a Data Protection Association (DPA) responsible for enforcing GDPR. The DPA will judge whether you are compliant when deciding any potential penalties for being breached
- Your Data Register will show you are striving to be compliant and avoid a fine of up to four per cent of your turnover, should a breach occur
Step three – Classify your data
- You must understand what data you need to protect and how that is being done
- You must find where Personal Identifiable Information (PII) – information that can directly or indirectly identify somebody – of EU citizens is being stored, who has access to it, who it is being shared with etc
- You can then determine which data is more vital to protect, based on its classification. This also means knowing who in your team is responsible for controlling and processing the data, and making sure all the correct contracts are in place
Step four – Start with your top priority
- Once the data has been identified, it’s important you start evaluating it, including how it’s being produced and protected. With any data or application, the priority should be to protect users’ privacy
- You should complete a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, evaluating data life cycles from origination to destruction points
- It’s vital to remember when doing this, of the rights of EU citizens, including data portability and the “right to be forgotten”
- From here, you should evaluate your data protection strategies – how exactly you are protecting the data (for example, with encryption, tokenisation or psuedonymisation)
- Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct way
Step five – Assess and document additional risks and processes
- Aside from the most sensitive data, the next stage is to assess and document your other risks, with the goal of finding out where you might be vulnerable during other processes
- As this is being done, it is vital you keep a roadmap document to show the DPA how and when you are going to address any outstanding risks
- It’s these actions that show the DPA that you are taking compliance and data protection seriously
Step six – Revise and repeat
- The last step is all about looking over the outcome of the previous steps and remediating any potential fall out, adjusting and updating where necessary. Once this is complete, you must determine your next priorities and repeat the process from step four
All that’s left to say is we hope to see you on the bus soon!
Source: Gemalto – Payments
Gemalto taking GDPR Clinic around the country to educate UK businesses