Is GDPR still a concern for your business? Here’s how to make sure you’re meeting all the requirements
It’s been twelve months since the introduction of GDPR – the game-changing new data privacy legislation. However, research shows that many organisations are still struggling to meet the necessary requirements. Surveys published to coincide with the first anniversary of GDPR on 25th May show that a significant number of businesses are in breach of the legislation.
So what do these findings tell us, and what can you do to make sure your business meets all the necessary requirements?
Findings show just how much businesses are struggling with GDPR
Research by Crown Records Management found that more than 75% of organisations could be struggling with GDPR compliance. The results showed that only 23% of businesses felt their compliance capabilities around GDPR were “very good”.
What’s more, only 20% of the data professionals surveyed felt their data collection processes were compliant with GDPR, which leaves many businesses at risk of fines. 46% of respondents said their organisation’s data storage methods needed improving, while 44% admitted substandard data retrieval processes and 43% expressed concern about their data storage and protection.
Another study, this time by CybSafe, revealed similar findings. 56% of respondents admitted that their business had failed to request consent to store sensitive data, while 16% said they had knowingly ignored access requests.
CybSafe concluded that “the majority of UK businesses are in breach of GDPR rules and few have changed their corporate policies as a result of the legislation.”
A Twitter poll by Infosecurity Europe 2019 also found that businesses are struggling with the new legislation. 68% of respondents believe that organisations have not taken GDPR seriously and are still not compliant. 47% also said that GDPR regulators are too relaxed about enforcing standards.
Similarly, Shred-it carried out a survey of 1,400 UK SMEs and found that, while there is a general “positive understanding and engagement with the principles of GDPR”, 60% of respondents stated that the changes to data protection laws have had a “slight” or “no” impact on how their business operates. Less than a third of businesses (32%) stated that GDPR has had a “great” or “considerable” impact on their organisation.
5 steps to GDPR compliance
While ensuring that your business complies with GDPR legislation may seem overwhelming, there are ways to make compliance much more manageable. Here are 5 steps to help you through the process.
ACCESS: Gaining access to all your data sources is the first key step towards GDPR compliance. You must access what personal data is being stored across your business, no matter what the technology used was. Offering clear access to all data sources is a prerequisite for establishing any potential risks to privacy exposure. You can’t rely on common knowledge for this, you need to prove what data is being stored and where it is.
IDENTIFY: Once you’ve found all your data sources, you need to do a thorough examination of what data is being held in them. You’ll then need to extract, categorize and catalogue any data held such as names, email addresses and National Insurance numbers. Pattern recognition, data quality rules and standardisation are key to this process.
GOVERN: You’ll need to get a clear understanding of what personal data means and share this definition across your business. Privacy rules must be documented and shared across all lines of your organisation, and this helps to ensure that personal data can only be accessed by those with the proper rights.
PROTECT: Once you have established a personal data inventory and governance model, you’ll need to set up protection for the data. This can be done using three techniques: encryption, pseudonymization and anonymization. Delete any data which isn’t critical to your business and find the appropriate method for protecting the rest.
AUDIT: The final stage in your journey to GDPR compliance is auditing. You’ll need to produce reports which clearly reveal to regulators that: you know what personal data you have and where it is located; you properly gain consent from individuals involved; you can prove how data is used, who uses it and for what purpose; you can manage factors like the right to be forgotten and data breach notifications.