How to sharpen up your data privacy programme

x-icon

GDPR placed an enormous responsibility on the role of the DPO

In the run up to the GDPR deadline, DPOs frantically tried to get their organisations compliant, or as near to compliant as possible. The main organisational driver was to avoid the hefty 4% fines for non-compliance, as promised by the Information Commissioner’s Office (ICO) And then in the aftermath of GDPR, the focus of the role shifted.

Now DPOs were attempting to keep up with the deluge of requests as customers and service users exercised their rights to access their personal data by means of Subject Access Requests (SARs). Today, despite the role being a legal requirement under GDPR, the main challenge facing DPOs is how to secure sufficient resources to carry out their duties around data privacy.

How to transition data protection to 'business-as-usual'

You have thousands of employees in your business, and it only takes a small number of bad practices to throw your compliance programme into disarray. Chances are you’re not Superman or Superwoman, so you can’t do everything. 

Transitioning data protection to business-as-usual requires an organisation-wide effort. Based on our experience, we believe there are 6 practical steps you can take to ensure that data privacy and protection takes centre stage in your company:

  • Step 1: Take a data inventory
  • Step 2: Monitor your data estate
  • Step 3: Benchmark your SAR process
  • Step 4: Nominate data champions
  • Step 5: Create a data training plan
  • Step 6: Lock down your data security

Read more about each step in detail 

So what else can you do to sharpen up your privacy programme? Read on to see our top 4 recommendations.

1. Start with your people - your data guardians

As with any business transformation project, the change only sticks if you successfully make a cultural shift in the way your organisation operates. 

As the people actually doing the work every day, it makes sense to draw on the expertise of nominated personnel within each functional business unit. They know the systems they use, what data they collect, why they collect it, and the employees who need access. 

Empower these individuals and they become responsible for their function’s data privacy. And when they feel responsible, they take ownership of the challenges surrounding data protection. Then, if or when they identify an issue, it becomes a lot easier for you to exercise your powers and secure the necessary resources to mitigate the risk.

To secure these functional data champions:

  • Nominate a person within each department to become your data guardians.
  • Make sure you do the same with third party partners who are processing personal data on your customers or staff on your behalf.
  • Train them so they understand what data practices are expected based on their data inventory, how they can help ensure compliance, and the ramifications for not following the guidance.
  • Give them a simple framework to report within so you can collate the information you need to perform your role.

2. Conduct regular audits of your data privacy processes and policies

Data protection isn’t a tick-box exercise. However, after the deadline hit, many organisations believed they were done with GDPR. After all, they’d just spent an average of £1.3 million ensuring their compliance, and the ICO didn’t immediately hand out any of the 4% fines we’d all been so worried about – so they returned to business as usual.

But data protection isn’t something you just do, like ticking off an action on a checklist. 

Just as you would perform an annual internal audit to reduce your risk profile, your data protection efforts need to be constantly monitored and periodically reviewed to safeguard your organisation.

If your organisation is back in business-as-usual mode since the GDPR deadline, it’s probably time to stop treating data protection as a project.

Make data protection practices become ingrained as part of business-as-usual activity, and you’ll secure the elusive resources required to perform your duties.

 

3. Take a look at what’s really in your data

While documenting your data privacy processes and appointing data guardians is a must, these activities cannot ever truly reveal what’s in your data. No matter how locked down your structured data repositories are, how well trained on data processing policies your teams are, data has a habit of escaping. It gets pulled out into excel spreadsheets, sent round on emails, and saved on personal drives.

Based on our own research, a typical organisation’s unstructured data contains 42% confidential information, 9% personal data and 1% passwords, much of which will not be captured in a privacy audit, because it isn’t contained in a structured database. 

What the GDPR forces business leaders to consider is where every single piece of personal data is across their IT estate – including cloud services like Office365. A thorough approach to data discovery, properly implemented with the right discovery software, will lead you to data that you did not know about.

Data discovery software enables you to filter and focus on what really matters to meet your information privacy requirements. By plugging into fileshares, shared drives, mail servers and cloud storage systems you can get a holistic view of your unstructured information. Millions of documents and Terabytes of files can be indexed and understood. 

Reports can be generated on what’s where and how sensitive it is. Individual files can be drilled into and all other files (wherever they may be located) about the same subject can be identified instantly. Files can be moved or deleted. Privacy policy violations can be picked up with automated Workflows. And Subject Access Request or eDiscovery case data sent to the right people or systems.

4. Get the Board involved

Although the DPO is a role which must report to the executive management, there had been a perception in some organisations that the job was done around the time of the deadline and there was no need for additional budget. Research from the CPO Magazine reveals that a quarter of DPOs say that their main challenge is obtaining sufficient resources bears this out.

In our experience, however, the most powerful hook for getting the board to sit up and take notice is real insight into what the data in a business contains.

Data discovery software will unearth a comprehensive picture of all the personal data that is held in your data estate, where it is held and its characteristics; taking your organisation beyond spreadsheets and interviews, and into the realm of making well informed decisions, rapidly. You’ll get a clear idea of how data is actually processed and managed within your organisation. That way, you can make the case for implementing the tools that will enable you to automate the process of staying on top of your data estate.

 

Organise, protect and enrich your data 

Here at Exonar, we help our customers to uncover what they’ve got within their data estate, at scale, and in clever ways that our competitors can’t or don’t do. 

Then we help to manage that data proactively through our documented API which enables you to plug Exonar into your existing data management platforms, to help our customers achieve and maintain compliance. 

Start sharpening your privacy policy today

We’re yet to work with an organisation that isn’t amazed at the ‘dark’ data within their estate. It’s why we offer a Proof of Concept first, on a subset of your data. Exonar will comprehensively index and crawl your estate to return a clear picture of what data is there. 

By opening your organisation’s eyes to the scale of their data challenges, they will quickly realise how vulnerable their customers’ personal data is, and support you in implementing the necessary tools to protect their trust. 

Start discovering your data today

Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?

Book a demo today

 “Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”

Dave Parker, Group Head of Data Governance, Arrow Global