Business First September 2017 Business First September 2017 | Page 19
STOP A DATA LEAK BECOMING A
REPORTABLE BREACH
Any audit carried out must review what
security measures you have in place. The
requirement to implement security measures
is a standalone obligation under the GDPR
imposed on controllers and processors alike.
As part of the audit, you will need to look at
where risk lies as well as the nature of the
risk – for instance, is the processing high risk
owing to the categories of data collected, the
number of individuals who have access to the
data, the fact that data is transferred outside
the EU, the format in which the data is held?
This process will help direct you as to
which security measures you need and where
risk can be mitigated by changing the
processes in place.
The GDPR lists a number of possible
measures which it recommends anyone
handling data to take, including
pseudonymisation (replacing identifying
fields within a data record with artificial
identifiers), which if properly implemented
could mean that even if the data is accessed, it
may not actually contain any information by
which a hacker could identify an individual.
CREATE A LIFELINE IF THERE IS A
BREACH
The purpose of the data audit is to help you to
document the full lifecycle of the data you hold.
With these facts at hand, it will be much
easier to assess and contain a suspected data
breach if it occurs. This helps you mitigate the
risk of a data breach, with all of the attendant
costs – but it also becomes a marketing point
allowing you to demonstrate to your
customers that you’re ahead of the data
efficiency curve.
It should also help you to implement
contingency or disaster recovery plans before
your systems are compromised. Avoiding the
commercial risks of losing data as a business
asset is surely vital to any business whether
or not the law requires it.
CONCLUSION
By emphasising not just compliance by
adhering to the conditions of processing, but
also the need to be able to evidence
compliance; by making transparency an
integral requirement, the GDPR shifts the
onus from a data subject making a claim, to a
data controller proving its innocence. In this
way, the GDPR is not simply a ratcheting up of
the DPA it is an attempt to shift the very
culture of data privacy: how it is viewed; how
it can be discussed and what should be
expected.
Controllers will not only need to include a
lot more detail in their privacy policies, they
will also need to notify data subjects if they
obtain their data from their parties – putting
information and power into the hands of the
people whose data is being processed,
analysed, bought and sold.
Why should we bother with the GDPR? –
because in or out of the EU, the landscape is
changing and data subjects are being given a
language by which to demand more than lip
service being paid to matters of data privacy
and rights which allow them to test the verity
of claims made.
With additional powers being given to local
authorities to issue certificates and badges
which can adorn compliant websites, you will
be able to understand that processing data is
one of the core activities of your business.
By promoting your business’s compliance
with the GDPR, knowing the lifecycle of the
data you hold, and implementing smart
processes within your business structure, you
will have succeeded in showing what gives
your business the edge over your competitor.
www.businessfirstonline.co.uk
17