The General Data Protection Regulation will come into effect in May 2018. It replaces the current Data Protection Act – updating the guidelines on how personal data is processed and held by organisations. A crucial element of ensuring an organisation is compliant with GDPR is a thorough data audit
It’s essential to fully understand the personally identifiable information (PII) data your school or academy relies on to function – who’s using the data, how it’s acquired and managed – as the foundations for achieving and maintaining compliance.
Richard Jones of cyber-security firm Foregenix highlights ten things to consider in this crucial phase of your GDPR project:
1 Be thorough
Investment in thorough processes will help you define and ultimately refine the scope of the project paying significant dividends further down the line.
2 Go with the flow
A data discovery exercise will help you better understand the flow of PII around the organisation. Where data enters systems, who uses it, where it resides and even where it leaves the organisation, who it’s shared with or processed by and by which other third parties.
3 Remember what Donald Rumsfeld once said…
The US statesman was famous for his phrase looking for ‘unknown, unknowns’. So, don’t neglect to search all possible areas where PII might reside, however unlikely a place it might seem, and not just where you know data is kept. A thorough audit covers all bases, searching the regulated and un-regulated areas of an organisation.
4 Insiders can be as dangerous as intruders
While the external threat might loom large, staff can also access and potentially remove PII without permission. It can be as simple as placing a USB stick in a PC. Unfettered access to PII could prove extremely costly. The ability to monitor who owns and has access to unprotected PII is essential under GDPR.
5 PII is open to interpretation
Under GDPR what constitutes PII may not always be obvious. Be prepared to look for data that is specific to the way your organisation identifies the individuals it engages with. And don’t forget there is a distinct difference between PII and ‘sensitive data’, such as medical records that don’t comply with PII formats – for example, credit card or passport numbers. It means you need to consider how to custom search for data that doesn’t exist in highly structured, industry standard formats.
6 Combine a central oversight with departmental responsibility
Whether or not your organisation is required to have a dedicated Data Protection Officer (DPO), someone is required to be responsible for organisation’s PII and sensitive data. You need to be able to see the bigger picture that will enable that function or individual to monitor overall compliance and assert responsibility onto those who own the data that falls within scope of GDPR.
7 Is your data an asset or a liability?
Use a data audit to ‘cut the redundant, obsolete or trivial’ (ROT) out of your organisation. Research suggests that upwards of 34% of data classed as PII can be classified as ROT.
8 Doing something is better than doing nothing
Any data discovery exercise should bring with it the option to deal with the PII you discover there and then. The option to protect it, delete it or place it into quarantine whilst you make up your mind will ensure you’re not leaving yourself exposed to the risk of compromising unprotected PII.
9 Put yourself in a defensible position
GDPR is not a tick box exercise; there is no pass or fail and no standard to follow. Ignorance or evasion will prove no defence should PII be subject to a data compromise. Using data discovery technology to manage and monitor PII within your organisation will serve to prove you are adhering to a best practice when it comes to complying with GDPR.
10 Make data discovery a habit
GDPR is an ongoing legal requirement, so a one-off exercise is not sufficient to ensure compliance in the longer-term. Monitoring PII and other sensitive data must become part of your ongoing day-to-day IT operations.