GDPR compliance regulations require businesses to define their data privacy policies and make them easily accessible. The computer industry and the digital world are in constant change and efforts to introduce new technologies and ever more advanced networks for processing data are in demand. This change is never ending and has become a continuous and increasing ‘must have’ from end users for yet faster operation, according to his or her requirements.
The security breach of Equifax in 2017 compromised 148 million of their American clients and resulted in a new wave of concern as to how Corporations protect client data. This event can be added to many others involving data theft in recent years – Anthem, Ashley Madison, Card System Solutions, Heartland to name a few. What awakens the need is not just an operational requirement to protect data and monitoring but the on-going duty to protect users’ personal details according to recent GDPR compliance and regulations, and standards of privacy protection. Indeed, although the regulations relate to personal privacy according to the rule of law, they also deal with the very considerable volume of data requiring protection, which falls within the responsibility of operations and facilities managers in an organisation.
These regulations, whether local or European affect every one of us, through organisations and via end users in Information Technology, so that the same standards and laws apply to all stakeholders or managers responsible for data management in an organisation. Security of private information requires the organisation to initiate comprehensive deployment of resources and changes to differing organisational operating procedures, between them, to carry out the mapping of assets, data and infrastructure, details of users, risk assessments and penetration testing in order to identify holes in security.
Beyond the legal department and Management, end users and information security personnel also bear responsibility to prepare the organisation for GDPR compliance to the regulations and standards. Operations managers and Information Security are those who must be concerned regarding the effect of the legislation on standards of data protection of their end users. Yet, what does an Operation Manager or an Information Security Manager needs to know when he/she gets up tomorrow morning?
- Firstly, let’s begin with mapping – mapping of the organisation or of personal details. Infrastructure personnel need to know the complete makeup of their organisations’ network in terms of hardware and software, what are the private details obtained by users, how are they protected, and how are they accessed by the users
- Running of a comprehensive risk assessment to identify information security risks and a check of security breaches
- Mapping of defence capabilities available to the organisation- communication security, physical/electronic security systems preventing intrusion or unauthorised entry.
- Security Policy that encompasses the various conditions required for authorised entry, notices for those conditions of entry, and how to deal with incidents involving security breaches.
- Procedures and protocols regarding data backup and restoration.
- Implementation of documentation mechanisms that will enable control and audit of access to data bases and private details.
Local data protection law and the European GDPR Compliance raise a new bar of challenges and potential plaintiffs that organisations must engage with, conditional on a threshold of increased transparency, responsibility and protection of data. This raised bar not only ensures considerable investment of resources on the side of the organisation but can also accord it with a competitive edge against organisations unable or unwilling to meet the regulations. Henceforth, the question is, how can that be?
Moreover, information is power. However, personal information, or rather control of it is power that is worth a significant amount of money. Therefore, for commercial businesses there is a clear interest in building and maintaining data bases. The problem is that many companies have tried to use details in their raw form. However, in order to get the best potential from data analysis, the data used should be ‘clean’, up to date, accurate and relevant. Many of the principles that govern the quest for data already exist in privacy regulations: data reduction, accuracy and storage restrictions. This is a unique opportunity for businesses to improve GDPR compliance with the law for the benefit of the client on the one hand, and yet to heighten the effectiveness of using the data in their possession on the other.
Therefore, an orderly methodology must be used for the methods of mapping and to qualify the data in the organisation. To improve the procedures of mapping and definitions requires an understanding of the purpose of the legislation which may not match the legal understanding or the technical understanding. So, the first recommendation after the morning coffee is to find those “legal beagles” that have both legal and technical knowledge. Consult with them about privacy regulations and GDPR Compliance!
Written by Etti Berger