The Do’s And Don’ts Of GDPR Data Security

With less than a month to go to implementation day, GDPR is weighing on a lot of people’s minds. But while it’s causing a lot of concern for many, we’re here to tell you it’s not all that bad. If you’re still not sure what GDPR is all about, we have a few easy do’s and don’t for you.

Don’ts

The list of don’ts for GDPR compliance is actually pretty simple:

• Don’t Panic – GDPR might sound like a big bad wolf, but trust us, it’s really not. With the right help and guidance, becoming GDPR compliant is pretty simple. The trick is to not panic and start making changes without first sitting down and creating a plan.

 

• Don’t Rely On Technology – A common mistake being made at the moment is businesses relying too much on technology to take care of all their compliance needs for them. Technology is a wonderful thing, but it isn’t the answer to all of our problems. There is so much more to security than just prevention, and that’s as true of complying with GDPR as it is of any other framework or programme.

 

So that’s a few don’ts. How about some do’s?

 

Do’s

 

• Know Your Data – This is the biggest element businesses need to get their heads around, Within the GDPR is an implicit need for businesses to know their data. To know where it is, what it is, why they have it and how to handle it securely. That involves looking at a lot of underlying data flows within the business, and ensuring there are no gaps in security at any stage of data handling.

 

• Have Good Risk Management – GDPR is all about mitigating risk, so risk management is an essential part of GDPR compliance. Article 32 requires that all measures implemented must ensure a level of security appropriate to the risk they are working with. In fact, there are multiple references to risk management throughout the regulation itself. A risk based approach to security ensures that priorities are established and decisions are made through a process of evaluating data sensitivity and applying the appropriate

 

• Implement Comprehensive Policies And Procedures – Article 5 of GDPR call for appropriate measures that are both technical and organisational, and Article 32 goes into detail about some of these measures. These may include adherence to authorised codes of conduct drawn up by national regulators and procedures that prevent unlawful processing or destruction of records. That’s where your shredding protocols come in. So to ensure you are able to be complaint, you need to draft up a comprehensive series of policies for data handling, retention and destruction. 

• Implement Appropriate And Effective Controls – Once you have a set of policies and procedures in place, you need to implement some controls to ensure they are stuck to. Article 32 provides some examples of the types of technical controls the may be appropriate to each type of risk. There are a number of ways you can do this, and the choice of solution is really up to you and what your business needs. Article 32 provides a few examples of the types of technical controls you can put in place, so if you’re not sure where to start, you can read it here.

 

• Have Effective Incident Response Procedures – Finally, you need to establish and effective incident response strategy if the worst should happen. Article 32 requires data controllers to be able to ‘restore the availability and access to personal data in a timely manner in the event of a physical or technical indecent.’ In other worse, you need to have a plan in place to respond to and deal with data breaches quickly and restore access to information – whether that’s the back-up data or the original files.

 

 

So you see, GDPR isn’t really a scary beast. In order to tackle it properly, all you need to do is spend some time creating a full compliance plan. If you’re not sure how to go about this, there are a number of experts who can help you. At Greenaway, we work with businesses to ensure that their data destruction obligations are being fulfilled to GDPR standards. Our secure shredding consoles and on-site shred facility means you can comply with this element of GPDR without much effort and change at all. For more information, just get in touch with us today.