GDPR: Where do you start?
With the GDPR now being a compulsory requirement, a law, businesses all over the UK and Mid-Wales are still in need to start the journey and understand the business impact.
The big question from these firms; Where and how do you start? Best tips? Start. Too many firms still have their heads in the sand or think GDPR does not apply to them or to businesses in Mid-Wales. Start by finding areas that need urgent attention and focus on these. This may be driven by looking at the ICO website to familiarise yourself with the requirements. Or a GDPR Gap Analysis to find out how your business is performing against GDPR.
Also, be aware and prepare for a business lifestyle change. GDPR is not a one-off exercise or a crash course in GDPR to then forget about. This is an ongoing process and once you are compliant, you need to ensure your business stays compliant. It requires businesses to change behaviour permanently.
Don’t look at GDPR in isolation. Look at it alongside regulations such as the Payments Services Directive, the e-Privacy Directive, Privacy Shield and PCI DDS. Businesses may find that they are already doing a lot towards compliance.
But the best way to start, is from the beginning. And that is with the data you hold that needs protecting. Ask yourself the following questions:
What data do you have? Who is it about? Where did it come from?
Why do we have this data? What do we do with it?
Where is it stored? Who is it shared with?
How do we keep it up to date? How long do we keep it?
One of the fundamental principles of data security, is that you have to know what your information assets are and that you have to know where they are. Otherwise, how can you adequately protect it?
Also, if you don’t need information, don’t collect it and don’t store it; minimise the data you collect, and protect what is left accordingly and have a sensible retention policy.
Another good starting point with reviewing your data is mapping the flow of data through your organisation. This will act as a review of your processes (do they actually work like this in practice), confirming the actual use of the data, identifying who has access to it and who probably shouldn’t and identifying any risks in keeping the data secure and accurate.
By starting to understand your data, how it flows in the organisation, where the risks and gaps are, you can document an action plan to address all findings and document your data processing activities, which is a specific GDPR requirement.