Risk, Security, Strategy, Thought leadership

Journey towards GDPR compliance

How to ease the journey towards GDPR compliance – and then maintain it


The cyber threat landscape has evolved swiftly and dramatically over the last few years. Major stories involving the likes of the NHS, TalkTalk and most recently Uber have jolted the IT departments of many businesses into action, forcing them to consider cyber security as a top priority and this has happened across industries, be it financial services, property sector, law firms or professional services.

A large part of this involves ensuring that all relevant corporate data is stored safely and can be quickly restored in the event of a cyber attack, and with the implementation General Data Protection Regulation (GDPR) compliance, this has never been more important. From May 25th 2018, all businesses are required to implement a level of transparency around how they are using customer data, and they must also ensure that customers can have their information removed from company databases should they request it. At this point we are all aware of the importance of GDPR compliance, and the severity of the fines that come with failing to take appropriate action in time.

At first, companies might think they can deliver the level of compliance expected of them by applying regular patches and employing anti-virus protection, and of course this is still vital for cyber security protection. But in reality there is much more involved, and a large part of getting over the compliance hurdle is understanding just how much data your business is holding, and where it’s being held.

For a long time now, regularly performing system backups – alongside having a robust disaster recovery solution – has been one of the best strategies for restoring data in the event of an attack, whether it’s via a ransomware email or a distributed denial of service (DDoS) attack, but this also means businesses often have multiple copies of files. If you consider how the majority of businesses often perform these backups – i.e. using a grandfather, father, son methodology – it is therefore more than likely that a single file could exist in ten or more locations, with even more versions potentially undiscovered. Add to this the fact that businesses themselves often structure their data around their clients and internal departments, and that large copies of data are often kept often after system upgrades ‘just in case’, and you start to get an idea of the scale of the problem.

The end result is that businesses have a lot of data; many thousands, if not millions, of files created over the years, and we probably don’t know where much of it is located.

If businesses want to guarantee compliance before the GDPR deadline arrives there are four steps they must adhere to; whether they choose to do it alone or with the help of a trusted IT services provider is up to them. However, following each of these, in order, will ensure that all bases have been covered – not just for 2018, but also for many years beyond.

Four steps that leads to GDPR compliance:

Discovery
This first procedure involves businesses assessing and identifying in which areas they are strongest when it comes to compliance, and which require more work to get to the same point. For example, one business might have an up-to-date system that features a strong firewall and anti-virus software, but they might not have a disaster recovery solution in place in case the data is compromised or goes missing.

This step also involves getting a good grasp on where all of your user-identifiable data is held, and once identified the location(s) must be communicated to all relevant and authorised personnel. This is perhaps the most challenging step of this journey, but it can be made easier with GDPR discovery tools available on the market. These can help you to identify your strengths and weaknesses extremely quickly, and could even pick up on things that might be missed otherwise.

Formulating customer responses
One of the major talking points around GDPR is that customers must be able to have their personal data removed upon request, and so businesses must formulate appropriate responses for those who exercise their right to be forgotten, as well as finalising the processes that should take place whenever this happens.

Accountability
The only way to guarantee compliance is through thorough self-assessment, and this step ensures that businesses have a pre-defined method of ensuring that all appropriate steps have been taken to operate in line with the regulation. Whether this is done via reports, face-to-face meetings or otherwise is ultimately down to the business and its specific requirements.

Protection
GDPR is not a flash in the pan but a long-term commitment, and so a future-facing approach is required. This final step involves assessing and implementing any mechanisms that can be put in place to protect data and processes for years to come, regardless of what might lie ahead.

Conclusion
It’s true – GDPR deadline is a reality now, but it’s not too late to take action and avoid those hefty fines that threaten businesses who fail to comply. Ultimately, when it comes to IT support, compliance is necessary irrespective of business size and is equally relevant whether you have 3 employees or 3000, and these four steps make that big step towards compliance so much easier.

Talk to one of our experts