View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 28, 2017updated 05 Jul 2017 10:04am

How to Prepare for GDPR compliance

Quest’s Principal Technology Strategist shares his preparation tips as deadline day looms.

By Ellie Burns

Soon the talking will stop. On 25 May 2018, the EU General Data Protection Regulation (GDPR) will become law across 28 European member nations with an impact on every organisation looking to do business in or with the continent. For those owning or processing personally identifiable information (PII), this is the biggest change to data laws since the 1995 Data Protection Directives.

Colin Truran, Principal Technology Strategist at Quest, is aware of the potential impact and the ticking stopwatch. With just months to go before implementation, Truran says organisations concerned that they are running out of time should start by recruiting a Data Protection Officer (DPO). “They can either appoint one or they can hire one via an agency if they are a small organisation,” Truran says. The DPO’s role is to co-ordinate and delegate efforts to put a company’s data collection and reporting house in order. A good DPO, Truran says, will “go through an assessment to understand where an organisation is and where they need to get to, effectively carrying out a gap analysis.” In short the DPO will ensure the business understands the risks and then co-ordinates responsibilities.

It’s worth noting, however, that the DPO’s primary duty of care is to “data subjects rather than their business”. It is the DPO’s job, says Truran, “to report to the data commissioner. In the case of the UK, that means the ICO [Information Commissioner’s Office].”

Near the top of the DPO’s in-tray will be a need to understand the scope of the PII an organisation holds and processes. This is not the first piece of legislation or standard to deal directly with PII – the Payment Card Industry (PCI) Data Security Standard, for example, obliges businesses to better control access. Nevertheless, the definition of what is considered PII is more “wide-ranging” under GDPR, says Truran. It includes, for example, any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.

“Organisations are faced with the challenge of identifying where that information is and then how to control it,” he explains. “They’re also going to have to understand who has access to it. They have a duty of care with that information and they need to respect the lifecycle of that information and how it was given to them.”

Only those that actually need access should have access.  Remove access from those that have it but don’t use it to reduce the potential risk. “It’s too easy for organisations to drift when it comes to security,” Truran says. “It’s almost as if you are dealing with a patient. You need to be able to have a finger on a pulse, understand what is happening in your organisation. You may not have a breach but you may have internal bleeding.”

When a breach does happen, it’s important to understand how it happened – they can occur very quickly but are likely to be rooted in weakness identified by an attacker long ago – and to react with speed. Under GDPR, a breach must be reported within 72 hours. This, says Truran, is an enormous undertaking especially given responsibility for data is now jointly held by owner and the processor. “Seventy-two hours is not a lot of time,” says Truran. “So what you need to do is delegate out, alert quickly and have complete visibility so you can understand the scope of the attack.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Watch the video CBR/Quest video interview here.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU