6 practical steps you can take to transition data protection to business-as-usual
One-year ago, the role of the DPO was focussed on getting their businesses as compliant with the new GDPR rules as possible. Today, it’s about continuing that work to ingrain good data management and data protection practices into the DNA of your organisation, so it becomes a part of everyday operational procedures. The reality is that the role of the DPO is grounded in doing what’s best for the customer – and that touches every department within your organisation. As such, data protection needs to be a collective effort. And as the person with complete oversight of what that should look like, it’s up to the DPO to drive the initiative.
We’ve put together the 6 practical steps you can take to ensure that data protection takes centre stage in your company. Not only will you ensure ongoing compliance with GDPR rules, you’ll be mitigating the reputational risk associated with a data breach.
Data is a constantly evolving entity and maintaining your ongoing compliance with GDPR requires you, amongst other responsibilities, to keep an up-to-date record of your personal data processing, also known as your Article 30s. As a mandatory requirement you need to be able to answer the following:
What data do I have?
Why do I have it?
Who can process it?
Where is it stored?
How and when do I delete it?
Discovering and documenting your organisation’s data practices will give you the best possible platform to comply with global privacy regulations and get the most value from your data.
However, can you say with certainty what data you hold and why? A data inventory will give you the visibility across data that’s known about. But it will not show you what’s hidden in your unstructured data. In performing their jobs, your employees will be copying data into spreadsheets, sharing it on email and saving it on personal drives which can make data go dark.
Our research suggests that a typical organisation’s unstructured information contains:
42% confidential information.
1% sensitive personal information.
9% personally identifiable information (PII).
ACTION: Treat your data inventory as you would an internal audit. Identifying and documenting your data practices is a task that should be performed at least annually to check if anything has changed and ensure your continued compliance. Use data discovery technology to identify all the unstructured information in your data estate so you have the insight on what data you’ve got and why. And also to determine what information you need to retain, as well as the data that can be destroyed. With full visibility, you shut down those vulnerabilities and safeguard your organisation.
If you are creating or updating a data inventory, we’ve created a handy Guide which includes templates to guide you through what kind of information you need to process and all the questions you need to ask about it.
There’s usually a difference between how you document your processes and how they’re actually performed.
To prepare for GDPR you probably had a lengthy checklist to work your way through. But ticking things off as you go along doesn’t ensure your compliance. Compliance is, and always will be, an ongoing commitment because your data is always changing, so your data protection efforts need to be constantly monitored and periodically reviewed to safeguard your organisation.
Elizabeth Denham, UK Information Commissioner agrees, “[GDPR] formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”
For example, we’ve seen lots of work being done around Article 30 definitions, looking at how personal data is collected, processed and managed. Here’s one that many readers will recognise:
“We will retain personal data relating to employees for three years after they leave. Special category data relating to employees will be stored on encrypted media and password protected.”
Sounds good in theory, but when it comes time to executing that plan, it’s actually really hard. There’s
a great description of what the plan is, but little consideration given to how it becomes part of business-as-usual. And in addition, no consideration given to how it will be monitored.
Organisations with more mature data privacy and security programmes will regularly audit their data estate and data processes to identify where policies need to change or where they aren’t being followed.
However, these audits are virtually impossible to complete unless you have appropriate automation tools in place.
ACTION: Using data discovery and compliance technologies to continuously monitor your data estate means you’ll be alerted to these discrepancies and be able to do something about it. How?
By running automated searches on all of your data as often as you require, you can reveal where your policies are not being adhered to, and specifically who isn’t following them. You can then remind users when information is stored incorrectly or is past it’s retention period so they can take remediation actions.
Step 3: Process DSARs efficiently
Under GDPR, individuals regain control of their personal data. And upon request you have to provide full access to everything you hold on them within 30-days. It’s a labour-intensive exercise that’s only set to get worse as the number of Data Subject Access Requests (DSARs) increases.
Our research shows that since GDPR came into effect, almost half of UK organisations have experienced an increase in requests for data. And 1 in 10 said data requests had more than doubled.
But amazingly, our research shows that over half of organisations aren’t using technology to manage and deliver DSARs.
As a data leader, you need a permanent, robust and constantly-reviewed process to automate DSARs as much as possible. It will make the activity less painful, costly and time-consuming to your organisation. But unfortunately process in itself isn’t enough – you need people to actually run those processes. And our research shows that 78% of organisations now employ at least one dedicated person to handle data requests – 25% of these, employ over 4 dedicated personnel.
Why spend days when you can process DSARs in minutes?
DSARs can be expensive and disruptive. They’re resource-heavy to process and they steal the focus away from individuals in your organisation. When one of our employees submitted a DSAR to their bank, with whom they have been a customer for over 10 years, they received 8 reams of paper delivered in two large boxes by a courier.
It possibly explains why over a fifth of organisations on average are spending over two-hours fulfilling DSARs, and in some cases much, much more.
ACTION: There’s an easier way; using intelligent information discovery software. With it you become massively more efficient in finding personal data for DSARs and reduce the amount of people, paper and time necessary to do so.
Using a Data Subject Search Form, a pre-set query form within the intelligent information discovery software, one or multiple search terms can be used to find information on your data subject.
Having built an index of your information, the technology searches your customer data; emails, databases, word documents and spreadsheets, in fileshares or in the cloud to bring back near instant results.
No more hours spent by multiple people trawling through emails, databases and drives trying to locate the information you need, DSARs can be processed in minutes and with minimal paper.
Even if an organisation doesn’t legally need to employ a DPO, the likelihood is that they will have nominated personnel within the business who are responsible for data protection.
However, our research suggests that despite it being part of data protection best practice, over a fifth of organisations don’t employ anyone to be responsible for handling data requests.
Data is big and it’s only getting bigger so you can’t ignore it.
But it doesn’t mean it has to be a burdensome role for anyone. Common sense dictates that people within their specific business unit will often have a better understanding of how data is processed for their purposes. Tap into that knowledge and suddenly your organisation is in a much stronger position.
ACTION: Best practice would be to nominate someone to sit within a DPO role, even if you don’t legally need to appoint the position. But then delegate the responsibility down to nominated data champions within each functional business unit. Empower those individuals to take ownership of their team’s data, ensuring they understand what the data inventory says about expected data practices, how they can help ensure compliance, and the ramifications for not following the guidance.
Step 5: Create a data protection training plan
While the DPO may be accountable for ensuring data protection, every employee in your business has a responsibility towards it.
Often, employees view privacy and data security as legal or compliance issues. But help your staff to understand why data security and information privacy is such an important issue, and they’re more likely to take it seriously. Make them understand how their individual contribution can have a big impact and they will incorporate good data management principles into their everyday activities.
When your employees are properly trained, so they understand WHY they need to perform certain actions, rather than just telling them WHAT you want them to do, they feel invested in the business and you eliminate any guess work about the right course of action.
GDPR isn’t just a new law, it’s a new mindset. Therefore, incorporating your data policies into business-as-usual will require you to change the working practices of every employee in your organisation. The most important way of ensuring these changes stick is making a cultural shift in the way your organisation operates.
Include people and make them feel part of the change and empower them to take ownership of their individual contribution. If you give people greater responsibility over data privacy, they will actively follow your policies, and proactively seek ways to improve them.
Now, when they find that a step in your process doesn’t work, or could be done a different/better way, rather than find a way to work around it, they’ll speak up and identify ways for you to continuously improve.
Despite the fact that there’s hardly a role in modern business that doesn’t come in to contact with customer data, it’s surprising that training on data protection isn’t a standard part of a company’s induction programme.
And yet it should be.
At the ICO’s Data Protection Practitioner’s Conference in April 2019, it highlighted the issue, Tweeting:
ACTION: Create a data protection training plan. Start by looking at who needs training. And in what form. Do they need role-specific training? Or something more general? Then ensure you have the ability to track when that training has taken place, and assess how frequently it needs to be refreshed. When employees feel confident about their interactions with your data, they’ll follow your security protocols, and are less likely to cause an incident.
Step 6: Lock down your data security
Finally, it’s time to lock down your high-risk systems. By embracing the crossover between data privacy and cyber security, it will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.
Not only are there hefty fines imposed for non-compliance, an actual breach itself can bear a huge cost to the organisation. According to research from the Ponemon Institute, on average it costs $150 for every record lost. And the impact can be felt for years after the breach first occurred; while 67% of the costs occur in the first year, 22% occur in the second, and 11% of the costs linger after two or more years.
ACTION: Ask your data champions to identify the high, medium and low-risk IT systems/ applications/shared drives/data repositories/ locked filing cabinets within their department. Then communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.
Make the role of the DPO valued and ingrained within your organisation
The role of the DPO is wide-ranging and vital. And yet a year after GDPR it can be misunderstood, under-resourced and treated in isolation.
By taking a strong handle on data inventory, monitoring data repositories, nominating data champions, delivering an organisation-wide training programme and communicating expected data practices, the role of the DPO will become valued and ingrained within the organisation.
Which in turn, embeds a culture of privacy and data protection into your organisation’s DNA.
Take the next step and benchmark your data protection policies and processes against an industry best-practice checklist.