Do you know exactly where your organisation’s personal data information is stored, and how it is used? If you answered “no” or “not sure,” you have some work to do. Protecting data has become a complex task for organisations not due to the sheer amount of data, but also because of concerns about where and how the information is stored. Organisations that fail to protect their data and that of their customers suffer the consequences, ranging from hefty fines, lawsuits, and negative publicity.
Here are a few best practices your organisation can adopt to protect personal information and align to obligations under the new General Data Protection Regulation (GDPR):
Identify what and how much personally identifiable information your organisation handles
Personally identifiable information (PII) can be defined as information that can be used on its own or with other information to contact a single person. The portion of PII an organisation collects will vary widely. A B2B organisation will likely possess less PII than a consumer organisation. Getting tied up in the intricacies of GDPR can be real concern for legal departments – so it’s important to remember that GDPR moves to attached property rights to information, and accordingly, organisations must decide where individual types of data, including different categories of PII, will be stored and processed. The reality is that today companies have many databases and CRMs but are ill equipped to extract the relevant personal data in order to properly audit or conduct due diligence checks. Maintaining a register or “map” that clarifies the whereabouts of each type of data and the parameters for handling it, is your obligation and will help you mitigate risk of data breach. As a rule of thumb, personal data should only be where your corporate policy dictates.
Understand your organisation’s risks
You cannot create a policy if you do not know what your risks are, and that means understanding where and how personal is managed. When it comes to managing your organisation’s risks, the approach should be proactive – waiting for privacy risks to develop or only taking action once a breach occurs is not a strategy. An appropriate and implemented integrated data system is necessary for preventing or minimising risks, as these could threaten a company’s very existence.
A list of measures to achieve this purpose and minimise liability risks might look something like this:
- Analysis of the legal, technical and organisational requirements the company must comply with, incorporating management, the IT and legal departments and the data protection officer, with support from external consultants where applicable.
- Issuing mandatory regulations on data protection and IT security (or their revision to take account of the GDPR), as well as communication to all employees and particularly the departments responsible for electronic data processing.
- Provision of a “compliance website” and regular employee training, which must include how to correctly handle personal data.
- Producing and publishing an action plan, including the requirements of a Data Protection Impact Assessment, if one is necessary.
- Reinforcing the Data Protection Officer’s role within the company.
- Including the works council in the processing of employees’ personal data, and as concluding relevant collective agreements.
- Using appropriate methods and technologies for integrated data protection and to ensure adequate data security.
- Ensuring data-protection-friendly default settings in IT systems, where applications collect or process personal data by automated means.
- Use of suitable legal tech solutions for efficient information management, permanent storage of legal documents, documentation of legally relevant processes and communication of these to a central body.
- Regular audits to evaluate the current level of data protection in the company and check whether the further storage of personal data is lawful.
Educate your employees
Once you have determined how you are going to register privacy-sensitive information, it is time to let the organisation know. Since data privacy has become such a trending topic over the past few years, many companies have decided to host a “Privacy Day” to reinforce awareness of new governance and their role in keeping data safe (ie. using safe file sharing and storage). Employees should also have easy access to the latest data privacy policies.
Build a plan
A disaster recovery plan for any organisation should include written details about data recovery and what to do in case of a data breach. You must have tool that will allows you to generate reports on data breaches and outline the next steps, like delegating tasks or setting deadlines for notification periods.
By consolidating all your data privacy documents and information in a single repository, not only can you track and control data privacy activities, but you can also reduce the complexity of data management and speed up your response time to regulatory compliance.