Hacking and ransomware are newsworthy – but it is not in the interests of any organisation to find itself in the headlines as a consequence of a data breach. The General Data Protection Regulation (GDPR) puts legislative teeth behind the need for measures to prevent such breaches. But it also provides an opportunity to build a privacy data infrastructure fit for the future – and as a platform for business advantage.
What is the GDPR for?
One of the primary aims of the Regulation, which comes into force on 28 May 2018, is to ensure that there is an appropriate legal justification for the use of personal data and that it is properly protected. In short, the GDPR provides rigour for the growing need for improving data privacy.
Privacy data management and security
The first step towards compliance with GDPR, according to many experts, is to conduct a privacy impact assessment (PIA), the aim of which is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible.
A PIA requires the collection and analysis of large quantities of sensitive information and metadata. For larger organisations, the scale and complexity of this exercise will grow exponentially depending on the multiplicity of data types, the number of interrelationships and the extent of the data supply chain. The security and integrity of this information is therefore paramount.
A PIA is specific to a particular process or set of processes and is a snapshot of the privacy impact at a particular moment in time.
However, information is rarely static. People change, they move, they switch roles, and the processes around their data do likewise. In other words, organisations cannot expect people or their data to remain frozen in time. Consequently, to be an effective risk management tool, PIAs need to be responsive to changes in the underlying environment and updated where appropriate.
The better solution
At this point, the designated privacy officer or one of the many GDPR stakeholders may be asking whether a form based system and an ever-growing collection of un-secure and cumbersome spreadsheets is the best way of generating and maintaining these PIAs.
What's required is a Privacy Management Platform that can map and monitor the flows of personal data within the organisation and across its supply chain and assess these flows against privacy policies and regulations.
Such a solution does exist, it's called Privacy Lens and it will securely deliver accurate and up-to-date PIAs as a matter of consequence.
In our next blog, we'll be highlighting more practical steps towards achieving this goal, the resources required, and the clear business benefits that this process can confer.