GDPR series part 6: the guide to implementation

The European Union General Data Protection Regulation (GDPR) will come into force throughout the European Union and European Economic Area on May 25th 2018. This six-part guide will explain the new law, and what businesses need to do to be compliant. The last two articles contained an action guide for businesses looking to prepare (part 1 and part 2), this final piece will provide useful advice around implementation and ongoing compliance.

Now that businesses know exactly what is expected of them by GDPR, it’s time for them to implement the processes that will ensure continued compliance.

Evaluating current data position

The first technical step of GDPR compliance is perhaps the most challenging – identifying the current data position of the company. The controller needs to be able to record all personal data it holds on all systems, as well as that held by employees and sub-contractors. It’s vital to remember that personal data takes many forms and sometimes isn’t even stored on computer systems. It can be found within handwritten notes, paper-based files and on recording devices, and can be kept in both structured and unstructured form.

While automated tools will enable businesses to find their digital data more efficiently, some degree of manual data discovery is necessary to avoid blind spots and unidentified vulnerabilities. Some have found the requirement of proving where existing customer data was collected from and locating exactly where it resides too cumbersome or complex, and have simply deleted databases in order to start over with GDPR-compliant processes in place.

Monitoring and mitigating risks of cloud use

All businesses use cloud in some capacity but the exact level of use is still hugely underestimated. Partly, that’s due to employees using cloud services without notifying IT, creating obvious risks to corporate data. To lessen the need to use unsanctioned services, organisations should set up a cross-departmental cloud evaluation team.

Consisting of representatives from various parts of the business – including IT, legal, compliance and risk, finance, employees and marketing (the department which traditionally handles the most customer data) – the team should review current cloud use, set company policies and procedures, and plan future use. Having voices from across the firm ensures that the burden of data security is lessened on IT’s shoulders as it becomes an enterprise-wide endeavour, and it means that the technological requirements of one party are not forgotten, reducing the need to rely on unsanctioned services. 

Employee training and documented processes

GDPR compliance doesn’t simply mean ensuring that the right processes are in place for an annual audit or single timeframe, it requires buy-in from all employees 100 percent of the time. As such, communication with employees is crucial to implementing a successful programme. They need constant guidance on the organisation’s policies, how to successfully harness the cloud, a list of approved cloud services, policies around cloud computing, and appropriate forms to request cloud use from the cloud adoption team.

If data loss does occur, the severity of fines can be influenced by the strength and sufficiency of documented policies, procedures, technology and training provided to employees. GDPR makes it clear that in any investigation by the data protection authorities, access to this information will be demanded. Fines are expected to be calculated based on the quality of the answers given, in fact, The Information Commissioners Office already sets fines by taking into account the data controller’s investment in data protection.

As consumers, we want our data to be secure

The EU GDPR is a major piece of legislation that could affect all global organisations. The impact should not be taken lightly and every company should review its data handling techniques and plan to conform to the regulation as soon as possible.

Complying with the regulation may, at first glance, seem onerous, especially if you are the data controller. But think for a moment about when you are the data subject. When we buy products or transact with organisations, they will gather some data on us. We’d all like our data to be held safely and securely by those companies. The regulation is putting in place a lot of best practices to help us review whether we are offering the same level of security we’d like every organisation to take with our data.

One other thing to help get your mind around this subject is to think that when you are collecting data as the data controller, the data is never really yours. It is on loan to you from the data subjects. Just like anyone loaning you something, they can ask for that data back, they can check that you are using it correctly, they can demand that you do not further loan it to someone else without their approval, and they have rights over what you do with that data – treat it as you would an expensive item that someone has lent you and you are on the right track.


By Nigel Hawthorn, privacy spokesperson at Skyhigh Networks

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.