With little over a year to go before the EU GDPR comes into effect, for those working in compliance and regulatory roles, the need to know how the new regulation will affect data protection and thus their jobs is crucial.
It goes without saying that irrespective of the looming EU GDPR enforcement date, set for 25 May 2018, organisations should be practicing safe data management and protection. As data breaches becoming a festering reality of the norm in contemporary society, the need for an even heftier tightening of data protection regulation has never been more essential. The new regulation is designed to strengthen and unify data protection for individuals by encouraging organisations to align their data management policies and practices with its rigorous guidelines or risk a substantial fine. If data breaches fail to be reported within 72 hours of the breach being detected, companies will either be liable for a fine of 4% of their global group revenue or €20 million, depending on which number is larger.
As a compliance or regulatory officer or audit professional, the first step in preparing for the incoming regulation is to familiarise yourself with all the types of data being stored in your organisation’s system. Without this comprehensive knowledge, detecting breaches becomes a more difficult and time consuming job, something you don’t want to risk from the point of view of devaluing your regard for customer data or costing your company huge financial loss, not to mention tanking their reputation, as befell O2. Classifying the many different types of data on your system is a useful and critical measure to achieving full familiarity with everything from temporary and deleted files to machine logs, browsing history and free disk space, in addition to the core sensitive data stored on your company’s system.
Knowing all there is to know about the data your organisation is responsible for includes the where, who and what pertaining to its utmost protection. From where it is stored to who control and has access to it and what protections are in place; this is the information you need to know back to front to effectively uphold your organisation’s data protection policies and processes. Furthermore, though the majority of businesses will have data retention policies in place, they need to be adequately policed and enforced, something that needs to be implemented and put into best practice now before the consequences of EU GDPR come into effect. The new regulation will also see the majority of companies taking on data protection officers, as stipulated by article 37 of the EU GDPR, to monitor the compliance of companies outside of the EU handling the data of EU residents.
Not only knowing the ins and outs of your organisation’s data stores but keeping tabs on when to remove it is equally important. Hoarding unnecessary data is what caused Yahoo to incur the world’s largest ever data breach with 1 billion accounts leaked, and it’s important to know a simple emptying of your system’s recycle bin is not sufficient in clearing all end-of-life data. Complete erasure with a certified, verifiable method and tool is the only way to guarantee a permanent deletion of data to avoid recovery, particularly by unsavoury sources. Furthermore, once the EU GDPR is invoked organisations will need to be able to provide proof of removal as part of an audit paper-trail to be submitted to the relevant government and regulatory authorities. Auditing not only data erasure but also its usage and retention policies will also be expected come May 2018.
As the EU GDPR prepares to shake up the rules for disclosure of breach, affecting operational processes, job descriptions, PR processes and more, the 2018 legislation will signal a revolutionary shift in the way we treat data.