So you’ve done all your research and reading, conducted your Privacy and Security Impact Assessment and taken steps towards compliance. The 25th May has come and gone, and the GDPR is here.
Well, if you’ve prepared correctly, it should be business as usual. The companies that will survive post-GDPR are the ones that have approached the regulation as a business opportunity (rather than an ad-hoc exercise) with a long-term business strategy that’s:
- aligned with business goals; and
- focuses on using compliance as a source of competitive advantage.
So how’s your business model looking? Are you equipped for ongoing GDPR compliance?
Privacy by design
You’ll have heard this phrase countless times on your journey towards GDPR compliance, and with good reason.
Privacy by design, according to the Information Commissioner’s Office, is ‘an approach to projects that promotes privacy and data protection compliance from the start.’ It should be the cornerstone of everything you do in your business, and be a key component in your business strategy and operating model. If you haven’t considered how you’ll integrate privacy by design into your operations, you’re not ready for life post-GDPR.
You can have all the high-tech snazzy security systems in the world, but if nobody’s watching them, they’re pretty much useless.
You need to give somebody the job of monitoring system reports (and the tools to do so) so that any suspicious behaviour is brought to your attention immediately, and any potential breaches thwarted in their tracks.
Alternatively, you can outsource this task. If your IT support company helped you on your journey towards GDPR compliance, they should be able to help you ongoing monitoring as well.
If you discover a data breach, you only have 72 hours to inform the relevant authorities about it. This means you need a data breach response plan.
You’ll need to implement a breach management and response plan, and assign somebody (or a team of people) responsibility for executing this plan in the event of a breach. Be sure to consider things like:
- processes for identifying and containing a breach;
- how you’ll record information on the breach;
- a notification and communication plan;
- how you’ll reflect on next steps and lessons learnt;
- a plan for avoiding a similar breach in the future; and, most importantly
- employee training.
- Axon IT Training
- How to create a productive, empowering and people-first workplace with technology
- Does your IT security make it difficult for your employees to get their work done?
Again, all the security in the world won’t work if your people aren’t educated.
Human error is the single biggest risk to effective data protection. You should already be educating your staff as part of your journey towards GDPR compliance, but you need to make sure this training and education programme continues post-May 25.
Try to keep cybersecurity and data protection at the forefront of your employee’s minds, and update your training plan as the cyber threats evolve over time. Make sure your team understands threats such as social engineering and phishing scams, and that they know how to handle, send and receive data lawfully.
Life after GDPR
The GDPR is a good thing. It protects your customers, it protects your suppliers, it protects your employees and it protects you. So welcome it with open arms, and work with it – not against it – for a safer, better protected business that stands you in good stead for growth and success.