Skip to main content

5 Steps on the Journey to GDPR Compliance

By: Claude Schuck, Regional Manager for Middle East and Central Africa at Veeam Software
There are still a vast number of organizations that have not taken the necessary steps to ensure GDPR (General Data Protection Regulation) compliance? The problem surrounding GDPR compliance is that it’s thought of as being just an ‘IT issue’. Lots of businesses seem to either have an inflated sense of confidence around how they already handle data, or they’re shrugging it off as someone else’s problem – which is to miss the point entirely. Compliance with the GDPR, in terms of both preparation and maintenance, should be a company-wide effort. Not least because companies who are found to be non-compliant could face hefty fines that would affect everyone.
And if the stipulations of the GDPR seem significant, it’s because they are. We’ve not had any updates to data protection laws since 1995 and things have changed a lot since then. The way businesses collected and stored personal data back then is no doubt very different to the way they do it in 2018.
When you put it like that, the GDPR seems pretty overdue. Today’s organisations should be welcoming it as an opportunity to update their whole relationship with data protection and make it fit for the future. To implement a methodology that’s built into the fabric of the organisation – not an afterthought or just something for IT to deal with.
The way we see it, there’s a very simple way to frame your approach to GDPR compliance. The five steps detailed below is the process we at Veeam went through to prepare. Now, we’re sharing it with you, in the hope that you’ll be able to complete your journey to compliance.
Knowing your data
If you’re a business that has or holds data on EU citizens, formally known as Personally Identifiable Information (PII), then the GDPR applies to you. That means you’re liable to penalty fines if you’re found to be non-compliant after the deadline of 25 May 2018 which has now passed. The best starting point, then, is simply knowing whether you hold this kind of data or not, and if you do, where it’s kept. Creating a visual map of all the data you hold will help you to build a comprehensive picture and get better oversight of this.

A lack of knowledge around the kind of data they hold may be another reason why so many businesses don’t seem to be taking much notice of the GDPR – or just don’t think it applies to them. It could be that they don’t believe they hold any relevant data (hint: if you employ EU citizens, you do), or don’t realise the breadth and scope of the data they do hold (hint: personal data is more than just names and addresses). Which is precisely why just knowing your data is the first step on your journey to compliance.
Managing your data
Once you’ve built up a picture of all the relevant data you collect and hold, it’s time to look at who has access to it and how it’s being used. Different teams and departments in your business will be accessing the same data in different ways and will be using it for varying purposes. Whether it’s a marketing team inputting data on prospective customers and sharing it with the sales team, or a HR team handling data on its own employees, it’s essential that you implement standardised procedures and workflows around the handling of personal data, and that employees only have access when it’s necessary to their business function.
Managing your data is about having visibility of the way data lives and breathes in your organisation – even if that’s not in-house. Your GDPR compliance also depends on the compliance of any third-party vendors or providers you work with, so the onus is on you to make sure they’re abiding by the rules. No turning a blind eye to data management once it’s out of your own business’ hands.
Protecting your data
Having gained better oversight of your data and implemented standardised processes to manage it, it’s time to make sure the right security controls are in place to protect the data – but that doesn’t just mean encryption. To be compliant you can’t simply turn security ‘on’ and put your feet up; the GDPR requires constant monitoring and diligence, and also much quicker action in the event of a data breach.
It’s true that technology will play an important part in that journey, but technology alone will not bring about compliance. Rolling out a new company-wide approach to data protection requires a combination of security techniques, standardised workflows, internal education, access control, backup solutions, and much more besides. Keeping on top of who has access, where and when, with constant auditing and monitoring will enable much swifter responses to the data breaches that, despite everyone’s best efforts, are probably still inevitable.
Documenting and complying
One of the GDPR’s hottest topics is the introduction of data requests, which means an individual will have the right to request the correction or deletion of the data held about them. Businesses will be expected to comply with these requests and show that they’ve done so, which is why visibility over what data you hold – and where – is so crucial.
Ongoing compliance with the GDPR also requires the documenting and auditing of what data you’re collecting, what it’s being used for and how long you’ll be storing it for. When we went through this step, we asked ourselves questions like: Is the data we collected months ago still relevant today? Do we still have visibility of data when it’s moved from one place to another? Are our third-party providers still compliant?
Continually improving
One of the benefits of constantly monitoring and auditing your data protection processes is the opportunity to constantly review and improve them. It’s true that the GDPR is something of a line in the sand, but as the digital world we live in constantly evolves and expands, it’s safe to assume that responsibilities around data privacy and protection will also continue to increase – so businesses will need to continually improve to keep compliant.
The GDPR should be seen by businesses as an opportunity to rethink their entire approach to data protection, now and moving forward. It’s a chance to make their organisations fit for the future – and they should grab it with both hands.
We learnt a lot about our business and our data in becoming GDPR compliant. We hope our story now helps you.

Comments

Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

The Workplace of the Future

By: Arnab Ghosh – Director, Synergy Property Development Services)
Workplaces are undergoing a major transformation today to stay relevant. Conventional space planning and design approach for office space are slowly but steadily changing across the globe. What was a trickle a decade back is snowballing into a movement as we speak? The nature of the work we do and the time we spend in our workplace is driving this change. 
The Social Workplace The original office in the west was originally based on the factory floor design. The Workers occupied the maximum space followed by Managers and the Senior Executives in their glass cabins. The term “productivity” also has industrial roots. There were well-defined tasks and targets for the employees to achieve in their working time. All these have changed drastically over the last few decades and going to change further in the future. The culture of organizations has to adapt to this change to stay ahead and retain talent. Productivity is no long…