GDPR does not prevent us from using these
providers, but it does seek to ensure that we have
identified them, and put in place appropriate and
binding contractual obligations to keep that data
safe.
Identifying the myriad processors used by modern
organisations, and then ensuring that appropriate
terms are in place with them, is an important step
towards GDPR compliance.
Not keeping data secure
Personal data is described as being on e of the most
valuable commodities in the 21st Century. It has a
value, and therefore many rogues want to get their
hands on it.
Data is a highly portable commodity, and so if
it is not kept secure then it can be stolen, used,
monetised and sold on again all before the legitimate
holder has even realised that the data has been
accessed.
GDPR requires all organisations to keep the
personal data entrusted to it secure by putting into
place appropriate technological and organisational
measures to ensure its proper protection.
An adequate IT infrastructure is a must.
For many organisations this will not mean having
state-of-the-art cybersecurity measures; a robust
infrastructure will be enough.
The Government’s Cyber-Essentials initiative
(https://www.gov.uk/government/publications/cyber-
COMMUNICA | Issue Five
essentials-scheme-overview) provides a really good
starting point for organisations that want to get
secure.
It is important to remember that it is not all about
technological measures: organisational measures
are as important.
Ensure that all employees understand the
importance of data security, and what your
processes and procedures require.
Consider any particular points of vulnerability,
such as home working, mobile devices, and when
sensitive data needs to be transferred.
Understand how fraudsters use social engineering
(psychological manipulation) to access systems and
steal data.
Training and guidance are really important in
ensuring all your staff are aware of these risks.
Finally, remember that GDPR requires all data
breaches (which covers security incidents as well as
many simple errors) that put an individual at risk to
be reported to the ICO.
Ensure that procedures are in place to enable
reports to be made swiftly and appropriately.
What next?
Recognising the value and vulnerability of personal
data is the key to legal compliance in this area.
Don’t try and eat the entire GDPR elephant in one
sitting (sorry to any vegetarians out there…): break it
down into manageable pieces.
•
Start with knowing your data: what you have,
where you hold it and what you do with it.
•
Then ask why you do what you do. Is there
a lawful basis, and if so what is it? Only process in
accordance with the reasons you have identified that
make processing permissible.
•
Be prepared to share that knowledge with
the individual data subjects: prepare comprehensive
and comprehensible privacy statements, and ensure
that they are issued at the right time.
•
Only share data when it is appropriate to do
so. Understand why you share.
•
Take data security seriously. Put in place
appropriate systems to protect the information: train
staff; and establish procedures to deal with any
breaches. The Editor would like to thank Matthew
Cole and Prettys for their contributions.
| 49