Think I’m on a roll, this is my 5th GDPR themed post.
Here’s a more practical article that’ll help you towards alignment with GDPR.
Content for this web log.
- Essentials for success.
- Information Security Management Systems
- What to do with old or archived PII
Essentials for GDPR Success
Educate
The C suite, the board and your employees must be made aware of the organisation’s obligations and their obligations.
Design
Ensure that your on-boarding, training, strategy, policy and procedures take into account the data protection demands of GDPR.
Accountability
Be clear on who is accountable for the data you hold and process. That you can prove that PII is correctly collected, processed, used and treated for the whole Data Life Cycle.
Red Herrings and dead-ends
GDPR is not a technology problem
You can not solve with tools alone, though they may make life easier for some tasks.
Don’t make the mistake of assigning the whole task of GDPR compliance to IT.
IT apply the controls, they’ll tell you where your data is and where it’s going.
It is not solely an InfoSec problem either, though it plays a significant role.
GDPR belongs right at the top, with the head honcho.
The CEO no less.
A significant structure like GDPR, isn’t self-supporting, it relies on good information security and well implemented information technology.
(Unless you totally paper based and you don’t use any IT systems, for processing of PII, but information security part still applies)
Unfortunately unless your process and IT maturity is realistically rated as managed or above, there is work and improvement required on the underlying technology, so that it is properly designed and operated too.
For this, a good route to take is an already established information security management system (ISMS) such as ISO27001.
Isn’t it a monster ? We can’t afford it ? It’s too disruptive!
I hear you say. No, it is designed as a framework, it is scalable. Not all of it will apply to your organisation. You don’t have to go for accreditation immediately, but it’s extra kudos if you do, something to aim for in continual improvement.
Be clear I’m not saying ISO27001, COBIT, Cyber Essentials etc are mandatory. You may be doing your own thing which is just as good or better. Although it is another level of control you may need to prove and justify.
Prioritise and Segment
Determine where your data or operations impact on the data subjects most. Deal with that first.
Old / Archived PII
Do you need to keep it for legal or regulatory reasons ?
Is there a clear and lawful reason for you to retain this information ?Do you have explicit consent to use the PII for your intended use ?
No ? delete it (properly).
If you want to keep it or re-purpose it, strip out the PII elements, so that you end up with anonymised data.
Otherwise anonymise it
Proportionality
You are not expected to spend a dis-proportionate of effort to achieve 100% data sanitisation. If the archives are properly secured it doesn’t mean you have to pull out every archive since year dot to scan for PII.
However, if it is recalled for any reason, you’ll need to ensure that the data on there is properly treated by removing the PII where necessary, for example removing people who have requested the right to be forgotten.
See Articles 35, 36 and 83 and Recitals 84, 89-96
Any other business ?
There will be more follow-ons from this one that’ll build upon what’s been said above. Examples of other things you should know and should be doing are :
- What do you have in your software estate ? Shadow IT has the means of scuppering your GDPR efforts. Seek out the old MS Access databases ….
- Vulnerability management
- What does your network look like ?
- How does your data flow ?
- Are all those rules necessary on your firewall ?
- When was the last time the firewall rules were audited ?
- Can you show why that rule is in place and trace it back to the change request and associated approval ….?
Plenty to mull over and discuss, but that’s enough for today.
