20
PRINT.IT
01732 759725
COMPLIANCE
Once
organisations
understand
just what
personal
data they
have, they
should ensure
regular risk
assessments
are
completed
‘Keep Calm and Carry On’
seems a tting theme for the
nally-published General Data
Protection Regulation (GDPR),
new European legislation designed
to give individuals greater control
over their personal information.
Assuming, that is, that your
organisation already values its
customer data.
Unfortunately, for too long, some
organisations have ‘presumed’
consent, worked with ‘implied’
permission, experienced data losses
that have taken months to detect
and report (remember Sony and
Target?) and, in some cases such as
TalkTalk, have been unable to properly
classify which personal data has been
compromised. No CEO wants to look
as ill-informed as poor Dido Harding,
and customers have an absolute right
to expect better.
DQM GRC’s new research, carried
out in association with DataIQ, shows
the extent to which consumers have
become both suspicious and savvy
about how companies use their
personal details. Awareness of data
protection controls is high among
consumers: 84% have seen cookies
notices; 76% unsubscribe links in
emails; and 74% have noticed privacy
policies. Yet only half say they notice
registration forms and requests for
their personal data. This suggests
that they overlook the starting point
of how an organisation comes
into possession of their personal
information and subsequently makes
use of it.
A signi cant proportion (49%) of
respondents are reluctant to share
details unless they trust the brand
or there is a clear justification for
why they should. Equally, consumers
expect companies to encrypt their
data and use technology that is
properly monitored to prevent hacking
and the consequent distress that
accompanies those events. This is
with good reason, as half of those
surveyed have experienced some kind
of personal data breach (such as a
website hack, account hack or even
identity theft).
The research shows that consumer
expectations about how their data
will be protected align with what
regulators endorse: 76.8% expect
encryption; 67.5% believe that
rewalls should be kept up-to-date;
and half think that usage will be both
limited and monitored.
Whilst consumers are perfectly
Christine Andrews, managing director of data governance, audit and
consultancy firm DQM GRC, explains what organisations must do to comply
with the EU General Data Protection Regulation due to come into force by
May 25, 2018
What GDPR means
for you
entitled to demand organisations
take these steps to ensure their data
is protected, implementing these
processes may be difficult for the
18.4% of organisations that say they
will need 12-24 months to make the
required changes – cutting the two-
year GDPR deadline quite finely.
In some respects, it’s a shame
that what’s caught business people’s
attention is the headline-grabbing,
eye-watering nes of up to 4% of
global turnover or
€
20m, plus the
requirement to notify customers
and the ICO of unencrypted data
breaches. However, if this is what
it takes to make companies wake
up and realise it is not their data,
but our data that we are entrusting
to them for safe-keeping, then this
is substantial progress. It should
certainly help the business case.
So what can organisations do?
Firstly, organisations need to evaluate
the personal data they already have,
categorising it so they are clear
where the personal and sensitive
data resides and where other less
important data sits in the company.
Usually, drafting a data ow map
will help businesses understand the
pattern of data through the company,
provide clarity on who has ‘eyes on’
the data, what skills these people
have and, nally, highlight where the
data ends up.
Once organisations understand
just what personal data they have,
they should ensure regular risk
assessments are completed in order
to understand the degree of threat
imposed on the company when
processing data. Indeed, the GDPR
demands a ‘risk-based approach’
with the development of appropriate
controls. In a single stroke, this
should ensure that management
recognises the dangers associated
with the loss, misuse, theft or any
other compromise of customer data.
Organisations that pass data on
to third parties often assume the
latter operate to high standards of
data security and protection. However,
this is no longer sufficient, as the
GDPR states that controllers must
only engage with processors who can
provide ‘sufficient guarantees’. As the
data owner, you must check they have
effective ‘technical and organisational
measures to ensure the security of
the processing’.
Moreover, there is now an
Christine Andrews,
managing director, DQM GRC
Continued...
