Tag Archives: data security

GDPR Data Security Regulation will come into force next May (2018)

Preparing our customers for the GDPR the data security regulation that comes into effect on May 25th 2018 is one of our prime focuses at present.

So whatever the result of Junes election and the Brexit negotiations that will be the focus of the media and politicians for the next couple of years, we are certain to have at least one May that will still be significant next year, whether one of them is Theresa is yet to be decided.

The second May, as in 25th May 2018 the date GDPR comes into effect, will certainly still be significant and we are in the process of informing our customers about the consequences for their businesses and helping them to understand the need to conform. The new regulation has the potential to significantly improve the data security landscape.

GDPR will change the way many companies approach data security
Click on image to play video

 

With a little under a year to go before GDPR implementation Information Commissioner, Elizabeth Denham talks about how GDPR is an issue for the boardroom.

We are at this moment carrying out a GDPR review for an engineering company in Sussex, the process is fairly standardised now and we use an online tool to help us gather the information and ensure the fairly complicated process is carried out thoroughly and consistently.

The initial stages of a GDPR project will inevitably involve data mapping, in effect identifying all of those nooks and crannies that companies are squirreling away peoples PII or as it is known personally identifiable Information (PII).

What constitutes PII? well anything that will tie a data record to an identifiable individual or as the GDPR likes to call them the Data Subject.

The information that may be deemed PII is quite extensive, the obvious crown jewels revolve around attributes such as name, gender, address, banking details and are obvious high risk but a huge hierarchy exists of things that may fit the criteria, whether they do or not may depend on the context within which they exist.

The interesting thing from our point of view is that making our customers compliant is a combination of technical data security project and a Human Resources exercise in that as we identify quantify and risk assess the data, very often new processes are having to be put in place to cover how staff interact with the process of collecting, amending, deleting and processing records for each data instance we find.

For this reason we often work very closely with a Human Resources outsourcing company to assist our clients put practical processes in place which are documented and can be referanced in terms of employment and acceptable use policies. In larger organisations it is a question of working with the HR department.

Is GDPR going to be a headache to most companies? I would argue it is an opportunity to put into place a coherent data security strategy.

GDPR should be more than a box ticking compliance, not a case of making sure the talk is being talked. GDPR should in fact prove to be a catalyst for a much needed move to secure computing that will in the long run be of benefit to all of us, a move to a model that pays full and proper regard to the personal information which we should always remember relates to real individuals, like you, me our wives and god forbid our children. The data has been entrusted to us.

Companies must not lose site of the fact PII is not our data, it is information that our customers have given us in trust, in most cases in order that we may carry out a transaction or service. The data belongs to the client or individual and we should treat it like any valuable commodity loaned to us and keep it safe, keep it under lock and key.