Business First September 2017 Business First September 2017 - Page 19

STOP A DATA LEAK BECOMING A REPORTABLE BREACH Any audit carried out must review what security measures you have in place. The requirement to implement security measures is a standalone obligation under the GDPR imposed on controllers and processors alike. As part of the audit, you will need to look at where risk lies as well as the nature of the risk – for instance, is the processing high risk owing to the categories of data collected, the number of individuals who have access to the data, the fact that data is transferred outside the EU, the format in which the data is held? This process will help direct you as to which security measures you need and where risk can be mitigated by changing the processes in place. The GDPR lists a number of possible measures which it recommends anyone handling data to take, including pseudonymisation (replacing identifying fields within a data record with artificial identifiers), which if properly implemented could mean that even if the data is accessed, it may not actually contain any information by which a hacker could identify an individual. CREATE A LIFE­LINE IF THERE IS A BREACH The purpose of the data audit is to help you to document the full life­cycle of the data you hold. With these facts at hand, it will be much easier to assess and contain a suspected data breach if it occurs. This helps you mitigate the risk of a data breach, with all of the attendant costs – but it also becomes a marketing point allowing you to demonstrate to your customers that you’re ahead of the data efficiency curve. It should also help you to implement contingency or disaster recovery plans before your systems are compromised. Avoiding the commercial risks of losing data as a business asset is surely vital to any business whether or not the law requires it. CONCLUSION By emphasising not just compliance by adhering to the conditions of processing, but also the need to be able to evidence compliance; by making transparency an integral requirement, the GDPR shifts the onus from a data subject making a claim, to a data controller proving its innocence. In this way, the GDPR is not simply a ratcheting up of the DPA ­ it is an attempt to shift the very culture of data privacy: how it is viewed; how it can be discussed and what should be expected. Controllers will not only need to include a lot more detail in their privacy policies, they will also need to notify data subjects if they obtain their data from their parties – putting information and power into the hands of the people whose data is being processed, analysed, bought and sold. Why should we bother with the GDPR? – because in or out of the EU, the landscape is changing and data subjects are being given a language by which to demand more than lip service being paid to matters of data privacy and rights which allow them to test the verity of claims made. With additional powers being given to local authorities to issue certificates and badges which can adorn compliant websites, you will be able to understand that processing data is one of the core activities of your business. By promoting your business’s compliance with the GDPR, knowing the life­cycle of the data you hold, and implementing smart processes within your business structure, you will have succeeded in showing what gives your business the edge over your competitor. 17