FEATURE
With a recent Veritas Study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by the General Data Protection Regulation ( GDPR ), the clock is well and truly ticking away . The EU ’ s GDPR comes into force in May so it ’ s vital that CISOs focus on the impending deadline and look into the future to avoid the significant fines that can be imposed .
Here we speak to industry experts to ask what those companies who have some catching up to do really need to know about demonstrating their compliance to GDPR .
How would companies demonstrate GDPR compliance ?
MIKE LLOYD , CHIEF MIKE TECHNOLOGY LLOYD , CHIEF OFFICER TECHNOLOGY ,
OFFICER REDSEAL , REDSEAL of paper or yellow sticky notes , then your business processes leave online footprints . If you don ’ t know how your business processes data , then the best place to start is with an inventory of your network and your processes . You can ’ t audit what you cannot map out .
Ask yourself whether you already know how your organisation processes personal data .
HARRIET COHEN HARRIET , HEAD COHEN OF , HEAD COMPLIANCE AND CERTIFICATIONS OF COMPLIANCE , DIGITAL GUARDIAN AND CERTIFICATIONS .
, DIGITAL GUARDIAN
The first step that any company should take is to appoint a Data Protection Officer ( DPO ). The DPO may either be a company employee ( for example , the CIO ) or may be a consultant from a third party .
GDPR requires you to demonstrate that your processes protect the privacy of individuals . This requires that you can ’ t just use a business process that works ; you have to use a process that is demonstrably doing it in the way that it should . So , the right place to start is with transparency ; ask yourself whether you already know how your organisation processes personal data . If that ’ s at all opaque to you , then it will be too opaque for GDPR .
Assuming you don ’ t run a business entirely by passing around scraps
The next step is to discover the personal data that resides in their environment , starting with file and database servers , SharePoint or other repositories and cloud storage . Those repositories are likely to contain the preponderance of GDPR data in the customer ’ s environment .
Once the company has identified the GDPR data , it should determine how it will respond in the event an EU citizen or resident contacts the company regarding the use of their data , either to respond that the use of the data is appropriate or that the data may need to be redacted or removed . Over time , with experience and particularly with guidance from the European Court of Justice , clear www . intelligentciso . com | Issue 01
37