Five steps to year-round GDPR compliance

The General Data Protection Regulation (GDPR) hit the headlines non-stop since it was first announced two years ago, thanks to the huge fines attached to non-compliance, but there’s been little in the way of guidance. The good news is that compliance is more of an ongoing journey than a task that could be marked as having been completed on 25 May 2018.

For the engineering sector, the most important aspect of GDPR is the notion of privacy by design. This means data protection and privacy must take centre stage at the beginning of any new project. Security and compliance must be paramount to any new systems or functionalities that process data. Beyond this are five key areas you should focus on:

Building your walls of defence

The data that’s applicable under GDPR is Personally Identifiable Information (PII), which can range from names, telephone numbers and email addresses to credit card numbers and even CCTV footage.

Many businesses that don’t store customers’ personal information make the mistake of thinking this doesn’t apply to them; however, all hold employee information. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.

Rendering data unintelligible to thieves

The best method is a multi-layered approach. Encryption should be top of your list -  not only is it a robust way to keep your data inaccessible to cyber criminals, it’s recommended throughout the full GDPR documentation. Should any PII data you hold fall into the wrong hands it will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the protection most suited to your needs. 

Reviewing your policies and processes

One of the most important elements is reviewing processes and policies to ensure they comply with the directive. Data controllers must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed.

Simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment, should you prove you put in place measures

Complying with individual requests

Individuals can request access to the data you hold on them, verify that you’re processing it legally and in some cases, request erasure of their data – the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found at the Information Commissioner’s Office Guide.

Acting fast on breaches

Whilst businesses are most fearful of experiencing a data leak, not reporting it to the ICO could be considered a bigger infraction than the breach itself. Businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. Failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself.

Finally…don’t panic. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.

Natasha Bougourd is lead applications writer, TSG