blog

Building a Foundation for GDPR Compliance

On 25th May 2018, the General Data Protection Regulation (GDPR) will become enforceable in the European Union. In parallel, the United Kingdom is planning to enact a similar (quite likely identical) law under the UK Data Protection Bill, as part of the preparations for Brexit. Our reference to GDPR in this article should be taken as broadly applying to both pieces of legislation.

What’s the Problem with Data?

Historically companies see data as a commodity, and want to hold on to every bit they can forever, in case it may one day be valuable to them.

General data of unknown business value is not managed effectively especially in file servers, team shares and personal home directories. With data growth estimated at 30% - 40% per year, a staggering 5 times as much data will exist in your company in as little as 5 years!

Companies often do not have sufficient control of their data to meet existing data regulations, let alone GDPR. GDPR has raised the bar for data protection, but also for the penalties.

Many companies:

  • Have no idea where their data is stored, and this problem is exacerbated by the rapid march towards cloud services. Where in the past this may have allowed some potential for ducking the issue of data protection accountability, GDPR makes it clear the regulations will be applied to both the data owners AND the data processors (internal or external service providers)
  • Store Personal Data (also known as Personally Identifiable Information - PII) in unstructured places, on file servers, team shares, personal home directories, or even email, and companies will find it impossible to comply with the data regulations without significant changes to their operating models

It would be a mistake to consider this just an EU problem. GDPR applies to every company in the world that stores data related to EU citizens and even small “one man” companies. Trying to segregate how you manage your data based on the origin of the data subject is not generally a viable option for a company – and why add that cost and complexity when you can apply good privacy practice across the board.

What are the Regulations Trying to Achieve

The regulations are meant to ensure that Personal Data (or PII) is processed with respect for individual’s rights, and if you already comply with existing data protection legislation you will have a good foundation for achieving GDPR compliance.

Underpinning the GDPR is a strong Information Governance approach. You will be expected to demonstrate that you:

  • Understand what PII you hold, and where it is stored (which data repositories, where they are located) with regards to all copies of that data (if not stored in single place)
  • Have a legitimate reason to process the data (including just storing it), and understanding if consent is actually required
  • Know how and where the data is allowed to be stored, in terms of jurisdiction, technology, security, availability, etc.
  • Understand how long that data must be kept for
  • Have processes in place to:
    • Keep data for the required amount of time, updating this in the event of a legal hold being applied
    • Delete data when it is no longer required
    • Detect if data is compromised, and report in a timely manner to the regulator and any third parties the compromised data relates to

Practical Foundational Steps for Regulatory Compliance

Parker Shaw has developed a partnership with a group of specialist companies to provide a cohesive view on data, information and legal services and guidance to help you address the requirements in establishing a solid foundation and roadmap for GDPR compliance.

We offer services that will help you:

  • Complete a GDPR readiness assessment
  • Create a Device Inventory, showing all places your company stores data
  • Gain insight into how your unstructured data storage is being used
  • Create or Refresh PII Inventory
  • Create or Refresh Records Management Policy
  • Create or Refresh Records Retention Schedule
  • Develop processes and procedures for Data Retention and Data Deletion
  • Develop an unstructured data strategy to improve your data management
  • Remediate your unstructured data and get your data growth under control
  • Complete a Data Protection health check to address GDPR compliance for smaller businesses

About the Partnership

Subject matter experts across legal, information and data practices, providing flexible options for practical assistance as you start your journey towards GDPR compliance

Backed by the resources of Parker Shaw and their thirty years of resourcing experience, our partnership will ensure that we create optimum technical and delivery teams to ensure the best possible implementation of any risk mitigation actions.

Utilising our experienced Information Governance professionals, we rapidly assess current policies, processes and technology against GDPR requirements. Focussing on the areas of highest risk, we deliver inventories, more complex policy and process uplifts and provide customised strategies to remediate and manage unstructured data.

Using our structured practitioner lead methodology, information and metadata is gathered and subsequently blended in our proprietary analytic software, enabling us to exceed your objectives cheaper and faster than traditional approaches, providing the detailed basis for actionable outcomes to be realised.

Our expertise is provided by our team who possess a deep understanding of the way business works and the value we can add to your bottom line. We provide proactive legal services and guidance to help you achieve GDPR compliance, ensuring that you have the necessary policies, processes, and training in place to meet Data Protection legislation requirements.

To receive more information on what we can do for your GDPR or Data Analysis needs feel free to get in touch with Debbie Walker (Business Development Manager) E: deborah@parkershaw.co.uk T: 07774914254 or Alex Mann (Account Manager) E. alex@parkershaw.co.uk T: 07825686047

Disclaimer

This article is not intended to provide legal advice with regards to the GDPR regulations, but to offer practical advice on steps that are necessary to put in place strong foundations for any data related activity of this nature.