With GDPR on its way in May 2018, one of the big concerns for businesses, particularly SMEs, is going to be the identification, protection and processing of Personally Identifiable Information (PII). Knowing what sensitive data your organisation holds and whether it complies with new legislation could be a lot more complicated than it seems, but there are simple steps to take to ensure you meet compliance.
What is PII?
Let’s start with a definition. PII is any data that could potentially identify a specific individual. As well as obvious identifiers such as name, date of birth, address, email, phone number and banking information, this also includes medical or financial information, and unique identifiers such as passport or social security numbers.
Presuming that your business can safely say all of this data is protected is a risky venture. On the contrary, with modern business conducted across servers and the cloud, numerous devices, interconnected business processes, apps, databases and shared files, the risks are very real. And that’s only taking into account business-critical information pertaining to staff and clients. Your marketing department may also have been tracking and gathering consumer data for years, and this information needs to be identified, assessed and acted upon too.
The GDPR will require businesses to be able to protect all the data they own and hold, ensure its accuracy, and process it in accordance with new guidelines. In order to do this, a business will of course need to know exactly what data they do hold, and this is where the process of data discovery comes in.
Arguing that you didn’t know you had certain data will not save you from the harsh penalties waiting to be meted out. Nor will explaining that the data is years old and hasn’t been used anyway. Or that the person who collected that data has since left the building, so to speak. If you own the business and the business owns sensitive data relating to EU citizens, no matter how old it is, you are responsible for it.
Indeed, old data that has been stored in the digital vaults could be a prime pitfall, so having the right IT systems in place to run an effective data discovery process across your entire network and database will be one of the vital steps to cover.
The first thing you need to do, before you get your IT team or a certified GDPR consultant to work on your IT infrastructure, is to raise awareness across your organisation. Ensure your team knows their responsibilities to prevent the continuation of any practices or processes that will make the steps towards compliance more difficult when you do start looking into your data.
Put in place a GDPR governance policy that covers an understanding of data mapping – who has access to PII, where it is, and where it goes over time. Frontline staff will be the ones who, on a day to day basis, work with, share, process or store sensitive data, and they will need to know best practices regarding data protection.
Then comes the IT factor.
Discovery Channel
As mentioned, the first part of this process is data discovery – identifying what data you hold, assessing whether it is PII and in breach of regulations, and acting accordingly.
The best approach to take early on is to find sensitive data you hold that you don’t need or that breaches GDPR, and safely, securely, get rid of it. Minimising the data you hold means minimising the risk of non-compliance.
After that, you need to run a security audit to assess whether the data you still hold after your purge is backed up, secure, and accessible to the right people only. In essence, don’t store what you are not allowed to store, and protect what you need to retain.
How do you protect your data?
Your security audit will need to look at your IT infrastructure and cloud computing, hardware and software, and make sure that all data is:
- Backed up – making it accessible to authorised personnel in the event of a data request and functionable in the event of a need for disaster recovery
- Protected from intrusion – securing your systems from cyberattacks, malware or ransomware
- Encrypted - scrambling your data so that it is rendered unusable to any unauthorised party, with a key held by the company being the only way to decrypt it. This should be done across all devices, not just files.
To stay ahead of the GDPR pack, it is also advisable to adopt a data protection by design policy, involving pseudonymisation. Lurking in the depths of GDPR legislation is the introduction of this concept that renders data neither anonymous nor directly identifying by separating it out from direct identifiers so that it can’t be linked to an identity without additional information. If that additional information is held separately, and is secure (obviously), it does not fall within GDPR’s reach.
Your Data Protection Officer (if you have assigned one) or Data Controller may be gulping at the prospects of what is required, but in the hands of a certified GDPR consultant, all of the steps your business needs to take can be mapped out clearly, so that you can understand what you need to do, and how to do it, without any of the scaremongering.
Find out how pebble.it can help you meet your GDPR requirements by getting in touch, and discover what steps you need to take by downloading our GDPR-readiness checklist:
