Wow, how did March just happen? Living in a country that just fell apart like a clown car because of snow, it’s still feeling decidedly wintery here in the UK, and as a weather obsessed Brit I am fully looking forward to sunnier times. You know, that single day sometime in August. By that time, we’ll have crossed the border into the brave new world of the General Data Protection Regulation (GDPR), and like many of you, I am curious as to what that world will look like.
During the 2018 countdown to the GDPR there have been some major milestones falling of late: 100 working days until GDPR, 100 actual days until GDPR, 99 days until GDPR, and so on. By the way, you do have our solemn vow that we’re not going to remind you on a daily basis how close it’s getting to May 25th, 2018. But for those folks still trying to work out what the hell to do for GDPR, by the time this blog hits the interwebs it’ll be around 50 working days in the US until go-day. Not long (tick tock, etc etc), but if you’re reading this as your first step, at least you’re doing something, which is a good start.
GDPR could most definitely be described as a massive exercise in both consumer and business trust, and if you outwardly state that you don’t care about GDPR compliance, or indeed just keep quiet and hope this all blows over, then there are multiple ways it could come back to haunt you. But let’s hope as you’re reading this blog you’re not falling into that camp: instead, you’re either just a little late to the party and are looking for ideas on where to start, or you’re somewhere out there on the GDPR forever-road.
I haven’t personally spoken to any of the (hopefully) mythical beasts who are sitting back and purposely doing nothing whilst awaiting the fireworks once GDPR becomes enforceable, but I do hear rumours that this is happening. As courses of actions go, this really isn’t a good idea, even if you thoroughly believe that you won’t/can’t get hauled up for non-compliance, or “it’ll only be the big guys” who get called out, or it’ll be a big newsworthy data breach that puts the first organisation into the GDPR spotlight. One of the big misconceptions about GDPR, is that it’s just about data breaches, and whilst this is an important part, it’s not the only way in which you could find your organisation in investigative hot water (as your lawyer will no doubt tell you!).
So in the next couple of months, assuming you’ve got to grips with things such as personal data discovery, reviewing your incident response and security program, and understanding your privacy and data retention policies and procedures, now is a good time to look at what you’ve learned and implement any changes. Maybe your organisation is in a heavily governed industry, like finance, so in theory there’s been less work to do, but regardless of where you are or what you do, if you handle the personal data of EU folks then there will be a level of work needed to prepare for GDPR.
When you implement these changes, do ensure you put the related people, processes and technology through their paces to make sure things are working as they should be. For security teams, something like a breach readiness assessment or a threat simulation tabletop exercise will help you understand how well your incident response processes stand up. In our February GDPR blog, we talked about doing a “Right to be erased” drill - it’s worth doing a few of these in the run up to May 25th, as this is a place you could come unstuck if someone is unhappy with the way in which you’ve dealt with their request.
The other area that we recommend revisiting at this point is third party data processor agreements. These are organisations that you send personal data to, such as a third party payments company, or a cloud-based data storage vendor. This is a vital step in the chain, as without the right contracts in place you could be held responsible for the non-compliance of a processor, which could potentially be a very costly exercise if something goes wrong. If you haven’t had a chance to check in with the data processors that you work with, then do make this a priority over the coming weeks.
As with everything GDPR, your legal counsel and, if you have one, Data Protection Officer are the right places to go if you have questions specific to your organisation. We have a range of assets that can help you better understand the regulation, bundled nicely into this handy GDPR toolkit. And if you’re looking for a fresh pair of eyes to help you understand your organisation’s GDPR readiness, our consultants are able to assist you with the alignment of your data privacy and security ducks.
Want to read more of our GDPR preparation blog series? Look no further than our GDPR blog tag.
P.S.: Hot off the actual press, we just released this awesome incident response e-book, which you may well find helpful in your GDPR preparations.