How to prepare for GDPR: Experts share their top tips
Experts from Balfour Beatty, IBM, ACCA and Age UK share their strategies and warn of the pitfalls in preparing for GDPR compliance
A panel of experts shared their top tips for GDPR compliance at a recent Computing event 'Gearing up for the GDPR: Efficient Data Management'.
The GDPR will come into force in May 2018, and updates data protection legislation across the EU. Computing has compiled a list of resources to help organisations prepare.
Veroniki Stamati, Information Security Assurance Manager at ACCA, a membership body which represents accountants, explained that her organisation's GDPR audit took twice as long as expected.
"We have over 200,000 members, and over 400,000 students," said Veroniki. "That's a lot of records of individuals. We're responsible for information security assurance and data protection programmes.
"GDPR will impact us heavily. We formally started an audit project in September 2016 with dedicated resources. We identified issues around undocumented processes, and our ability to start mapping data flows, which impacted initially our understanding of where all our data is.
"We're moving a lot of information to the cloud, so we don't have absolute control over where data is and where it's stored. That project took six months, which was double what we anticipated," she added.
Veroniki said that her organisation has now completed its risk assessments, ending up with a number of risks due to the project's low risk appetite.
"We now need to prioritise those risks in preparation for May. These risks need to be monitored on an ongoing basis and managed properly to align with the board's strategy in terms of what to sort out first, and what to do later on. But we're confident that we know where we are and what the key risks are against GDPR."
Terry Willis, Head of Information Systems at Age UK, one of the UK's largest charities, said that he feels he has a good grasp of where his organisation's data sits.
"We've gone through a massive CRM process, putting all our data into one database of over 20 million records," Willis began. "We have an almost single-pane 360 degree view of all customer information, whether they're a donor, benficiary, or someone we've given advice to. All of this is completely in a virtual private cloud. We sit in both Amazon and Azure, so we have some control over where that data actually is.
"And we're also FCA and FSA regulated. That means w have lots of checks and stops already in place. No one's 100 per cent sure, but we have a good hand on our data, its recency, and how often we talk to our contacts and get permission to store thir data. And we have a chief data officer who's very skilled in this area and I work hand in glove with her," he said.
Matthew Kay, Group Data Protection Officer at construction firm Balfour Beatty emphasised the need for training, which Computing's latest research into levels of GDPR preparedness among UK-based firms revealed is seen as the trickiest aspect.
"We focus on accountability, training and awareness," said Kay. "It's a long-term strategy which has been endorsed by our CEO, with accountable owners for all key projects.
"We were already training people on the [1998] Data Protection Act, now we're retraining them for GDPR and how it affects day to day work. Raising awareness is a continual process, you need to keep up communication and briefings to staff. You can only flourish if individuals are aware and know what to do," he concluded.
A panel at Computing's recent Enterprise Security and Risk Management Summit recently stated that GDPR has forced a number of changes to security training practises.
Confused by what constitutes personal data under GDPR? Check this analysis from Computing.
Bart Claeys, IBM System Storage Software Solutions Architect at IBM said that every business unit at his firm has its own team helping to ensure GDPR-readiness.
"IBM is taking GDPR readiness seriously," said Claeys. "Each business unit has a task team to look at both our internal processses and external offerings to make sure they are compliant by May 2018, and preferably before. Our chief data privacy officer is behind the whole GDPR readiness programme," he added.