GDPR What you Need to Know

GDPR - What you Need to Know

ProcureCon IT GDPR 2

The General Data Protection Regulation (GDPR) is forcing organisations to review and develop their data handling. New regulations have led to increased focus on efforts to achieve compliance. Undoubtedly, this will require key strategic decisions to be made between departments like IT, Marketing, Finance, Sales and the Senior Management team.

With GDPR enforcement beginning in May 2018, the issue could be put on the back burner for organisations; although it could take some time to review current procedures, obtain cross departmental consensus, obtain financial approval, and implement the correct process and procedures to assure compliance.

Brexit details the need to approach the whole subject of data protection compliance with a light touch, but with a very firm hand. All the underlying tools, infrastructure and policies regarding data handling need to be flexible enough to accommodate multiple scenarios, but a firmness is still required because auditing procedures and processes need to be sufficiently rigorous enough to ensure compliance is achieved.

Remember, if you can't track it, it isn't secure.

What to do next…

The process in which sensitive data flows is fundamental to the GDPR legislation and requirements. Data is extremely vulnerable when in-transit. Therefore, your secure file transfer policies are going to become a critical success factor. The way in which you manage file transfer and storage of all files between customers, employees, partners, and systems is understandably daunting.

5 GDPR Requirements You Should Be Thinking About Right Now

  1. Consent
    Sign-up procedures and configuration settings will need to be re-designed in line with the requirement for explicit consent
  2. Profiling Users
    People will object to the use of personal data for profiling, such as techniques used in direct marketing. Tracking users on different systems requires you to get clear consent and the ability to describe every step taken in how, where, and what in that data is stored.
  3. The Right to Be Forgotten
    To fulfill this requirement, it's critical to design your system so that users can review data, request rectification or withdraw earlier given consent.
  4. Data Portability
    The easiest way to enable individuals to port their personal data from one service provider to another will probably involve common used standards. This is to ensure services are accessible from a well-designed API - one that may even allow downloads in a common format, such as XML.
  5. Redesign Systems with Privacy and Encryption by Design
    This means data needed for attribution (such as the data you need for logging into the system) is not stored together with transaction data (the actual actions performed by your users), which highly reduces the risk of harm for data subjects.

The regulation requires you to report data breaches if the data has not been strongly encrypted within 72 hours of discovery.

Muks Shah will speaking at ProcureCon IT this December in Amsterdam - check out who else we have in our speaking faculty by downloading our agenda. 

ProcureCon IT GDPR button

If you want any more information on GDPR - please see below: 

Overview of GDPR regulations, from the Information Commissioners Office 

Overview of GDPR - European Commission