How to transition data protection to business-as-usual
Six practical steps you can take to operationalise data protection
Download the report to ensure that data protection takes centre stage in your company.
Download the Report to learn
How to transition data protection to business-as-usual
One-year ago, the role of the Data Protection Officer was focussed on getting their businesses as compliant with the new GDPR rules as possible. Today, it’s about continuing that work to ingrain good data management and data protection practices into the DNA of your organisation, so it becomes a part of everyday operational procedures.
The reality is that the role of the DPO is grounded in doing what’s best for the customer – and that touches every department within your organisation. As such, data protection needs to be a collective effort. And as the person with complete oversight of what that should look like, it’s up to the DPO to drive the initiative.
We’ve put together the 6 practical steps you can take to ensure that data protection takes centre stage in your company. Not only will you ensure ongoing compliance with GDPR rules, you’ll be mitigating the reputational risk associated with a data breach.
Data is a constantly evolving entity and maintaining your ongoing compliance with GDPR requires you, amongst other responsibilities, to keep an up-to-date record of your personal data processing, also known as your Article 30s. As a mandatory requirement you need to be able to answer the following:
- What data do I have?
- Why do I have it?
- Who can process it?
- Where is it stored?
- How and when do I delete it?
Discovering and documenting your organisation’s data practices will give you the best possible platform to comply with global privacy regulations and get the most value from your data.
However, can you say with certainty what data you hold and why? A data inventory will give you the visibility across data that’s known about. But it will not show you what’s hidden in your unstructured data. In performing their jobs, your employees will be copying data into spreadsheets, sharing it on email and saving it on personal drives which can make data go dark.
Our research suggests that a typical organisation’s unstructured information contains:
- 42% confidential information.
- 1% sensitive personal information.
- 9% personally identifiable information (PII).
Treat your data inventory as you would an internal audit. Identifying and documenting your data practices is a task that should be performed at least annually to check if anything has changed and ensure your continued compliance. Use data discovery technology to identify all the unstructured information in your data estate so you have the insight on what data you’ve got and why. And also to determine what information you need to retain, as well as the data that can be destroyed. With full visibility, you shut down those vulnerabilities and safeguard your organisation.
If you are creating or updating a data inventory, we’ve created a handy Guide which includes templates to guide you through what kind of information you need to process and all the questions you need to ask about it.
Step 2: Monitor your data estate
There’s usually a difference between how you document your processes and how they’re actually performed.
To prepare for GDPR you probably had a lengthy checklist to work your way through. But ticking things off as you go along doesn’t ensure your compliance. Compliance is, and always will be, an ongoing commitment because your data is always changing, so your data protection efforts need to be constantly monitored and periodically reviewed to safeguard your organisation.Elizabeth Denham, UK Information Commissioner agrees,
“[GDPR] formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”
For example, we’ve seen lots of work being done around Article 30 definitions, looking at how personal data is collected, processed and managed. Here’s one that many readers will recognise:
“We will retain personal data relating to employees for three years after they leave. Special category data relating to employees will be stored on encrypted media and password protected.”
Sounds good in theory, but when it comes time to executing that plan, it’s actually really hard. There’s a great description of what the plan is, but little consideration given to how it becomes part of business-as-usual. And in addition, no consideration given to how it will be monitored.
Organisations with more mature data privacy and security programmes will regularly audit their data estate and data processes to identify where policies need to change or where they aren’t being followed.
However, these audits are virtually impossible to complete unless you have appropriate automation tools in place.
Using data discovery and compliance technologies to continuously monitor your data estate means you’ll be alerted to these discrepancies and be able to do something about it. How?
By running automated searches on all of your data as often as you require, you can reveal where your policies are not being adhered to, and specifically who isn’t following them. You can then remind users when information is stored incorrectly or is past it’s retention period so they can take remediation actions.
Step 3: Process DSARs efficiently
Under GDPR, individuals regain control of their personal data. And upon request you have to provide full access to everything you hold on them within 30-days. It’s a labour-intensive exercise that’s only set to get worse as the number of Data Subject Access Requests (DSARs) increases.
Our research shows that since GDPR came into effect, almost half of UK organisations have experienced an increase in requests for data. And 1 in 10 said data requests had more than doubled.
But amazingly, our research shows that over half of organisations aren’t using technology to manage and deliver DSARs.
Read our research report: ‘Processing Data Subject Access Requests: how does your company measure up?’
As a data leader, you need a permanent, robust and constantly-reviewed process to automate DSARs as much as possible. It will make the activity less painful, costly and time-consuming to your organisation. But unfortunately process in itself isn’t enough – you need people to actually run those processes. And our research shows that 78% of organisations now employ at least one dedicated person to handle data requests – 25% of these, employ over 4 dedicated personnel.
Why spend days when you can process DSARs in minutes?
DSARs can be expensive and disruptive. They’re resource-heavy to process and they steal the focus away from individuals in your organisation. When one of our employees submitted a DSAR to their bank, with whom they have been a customer for over 10 years, they received 8 reams of paper delivered in two large boxes by a courier.
It possibly explains why over a fifth of organisations on average are spending over two-hours fulfilling DSARs, and in some cases much, much more.
There’s an easier way; using intelligent information discovery software. With it you become massively more efficient in finding personal data for DSARs and reduce the amount of people, paper and time necessary to do so.
Using a Data Subject Search Form, a pre-set query form within the intelligent information discovery software, one or multiple search terms can be used to find information on your data subject.
Having built an index of your information, the technology searches your customer data; emails, databases, word documents and spreadsheets, in fileshares or in the cloud to bring back near instant results.
No more hours spent by multiple people trawling through emails, databases and drives trying to locate the information you need, DSARs can be processed in minutes and with minimal paper.
Why not benchmark your experience of processing DSARs using our research report, “Processing Data Subject Access Requests: how does your company measure up?” to see what you can do to improve.
Step 4: Nominate data champions
Best practice would be to nominate someone to sit within a DPO role, even if you don’t legally need to appoint the position. But then delegate the responsibility down to nominated data champions within each functional business unit. Empower those individuals to take ownership of their team’s data, ensuring they understand what the data inventory says about expected data practices, how they can help ensure compliance, and the ramifications for not following the guidance.
Step 5: Create a data protection training plan
While the DPO may be accountable for ensuring data protection, every employee in your business has a responsibility towards it.
Often, employees view privacy and data security as legal or compliance issues. But help your staff to understand why data security and information privacy is such an important issue, and they’re more likely to take it seriously. Make them understand how their individual contribution can have a big impact and they will incorporate good data management principles into their everyday activities.
When your employees are properly trained, so they understand WHY they need to perform certain actions, rather than just telling them WHAT you want them to do, they feel invested in the business and you eliminate any guess work about the right course of action.
Create a data protection training plan. Start by looking at who needs training. And in what form. Do they need role-specific training? Or something more general? Then ensure you have the ability to track when that training has taken place, and assess how frequently it needs to be refreshed. When employees feel confident about their interactions with your data, they’ll follow your security protocols, and are less likely to cause an incident.
Step 6: Lock down your security
Ask your data champions to identify the high, medium and low-risk IT systems/ applications/shared drives/data repositories/ locked filing cabinets within their department. Then communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.
Make the role of the DPO valued and ingrained in your organisation
The role of the DPO is wide-ranging and vital. And yet a year after GDPR it can be misunderstood, under-resourced and treated in isolation.
By taking a strong handle on data inventory, monitoring data repositories, nominating data champions, delivering an organisation-wide training programme and communicating expected data practices, the role of the DPO will become valued and ingrained within the organisation.
Which in turn, embeds a culture of privacy and data protection into your organisation’s DNA.
Take the next step and benchmark your data protection policies and processes against an industry best-practice checklist.
Start discovering your data today
Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?
“Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”
Dave Parker, Group Head of Data Governance, Arrow Global