The run-up to the GDPR becoming law on May 25th, 2018, saw everyone worried about getting into compliance. And rightly so. Not just because protecting customer and employee data is the right thing to do, but the fines for GDPR non-compliance can be hellish. We are talking big numbers; 20 million euros or 4% of revenue, whichever is higher, being the top level of fine possible.
It is 2020, and in the, not quite, two-years since the GDPR came to be, there have been around £97 million worth of GDPR fines and 160,000 data breach notifications made.
Just when you think things may be settling down, GDPR and the data privacy rights it stands for, could come to haunt you. So, in 2020, what things do you need to consider in making sure you don’t end up fighting the UK’s Information Commissioner’s Office (ICO)?
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
GDPR Checklist for 2020
The GDPR is not a tick box exercise, but it is useful to look at certain aspects of your business to help align business processes with GDPR requirements. Here is our non-exhaustive list of things to think about in 2020, to make sure you remain in compliance with the GDPR.
Data processing and governance
The GDPR is focused on the processing of personal data. This means that to comply with the many GDPR data subject rights (aka an individual’s rights) you need to go back to basics – the data. Understanding the data you collect, where it goes, is stored, and who uses it, is a fundamental step in establishing if any compliance gaps exist.
The process of ‘know your data’, is a good mindset and discipline to foster in your organization. It works for many things above and beyond data privacy. It is very useful for knowing what measures to put in place to prevent data breaches. In 2020, and as an ongoing regular event, keep track of your data and build your data inventory to become updateable. This will feed into your ongoing compliance checks.
Your ‘know your data’ process can also help with the next area in our checklist.
Article 5 of the GDPR says this about data collection in terms of minimisation:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”
When you perform the know your data process, make sure that you only collect the minimum data needed to run a service or use a product. For example, do you really need to collect someone’s name prefix, e.g., Mrs. or Miss or Mr.?
Keeping data collection and processing to a minimum, also means that if you suffer a data breach or accidental data exposure, it will only be a minimal dataset that is leaked.
Technology plays a part in GDPR. Look at the technology measures you have in place. Are they still relevant? Do they need to be updated or augmented with new options?
Encryption plays a part in making sure that any data you collect, and store, is at least protected while it is stored or during transit.
Robust authentication needs to be checked. Perhaps in 2020, some cloud apps now have the option to use two-factor authentication?
Technology also can manage some of the data subject rights you must offer too. If you use customer online accounts, for example, can the customer manage some, or all, of the data subject rights detailed in the GDPR?
- Right to be informed (about your data);
- Right to access (to data);
- Right to data rectification;
- Right to data erasure (data deletion);
- Right to request the restriction of data processing;
- Right to data portability;
- Right to object to use of data; and
- Right to say no to automated decision-making including profiling.
Also offering an easy method of communication with your organization on data rights, that works across different channels (email, mobile, etc.), is something to consider.
Privacy and security awareness training
Security awareness training for employees primes them to the risks of sensitive personal data. A data breach that puts you at risk of having to make a GDPR breach notification can be as simple as accidental data leaks that can happen because of a lost laptop or a shared password.
Security awareness training should be done on a regular basis to keep up with the ever-changing nature of cyber-threats.
Data Protection Impact Assessment (DPIA)
Not all organizations need to carry out a Data Protection Impact Assessment (DPIA). However, you need to know if you do, so double-check your current status in terms of eligibility. The GDPR says you should carry out a DPIA if an “individual’s data processing is likely to result in a high risk”. This is a little vague, so for further details, check out what this means and who it impacts in the “Working Group 29” (WG29) advisory, which sets out that a “DPIA is a process for building and demonstrating compliance.”
A Data Privacy Officer’s Work is Never Done
The work needed to get your organization into compliance with the GDPR may seem like a long time ago, but the world of data is nothing if not fluid.
To make sure fines and unhappy customers remain at arm’s length, keep on top of your compliance by being vigilant, knowing your data, and keeping everyone in your business security and privacy aware using a fun and interactive Security Awareness Training offering.
The Defence Works offers GDPR specific Security Awareness Training that is fun and interactive.
Contact us for a free demo of the training that your employees will not only learn from but enjoy: https://thedefenceworks.com/demo/
Gartner Peer Reviews: “The Defence Works team was truly a great experience” 5-Stars.
Subscribe to the Proofpoint Blog