A risk-based approach to the rules
In the coming months and years, we can expect a lot of official guidance for SMEs to come from national bodies such as the Information Commissioners’ Office. This will clarify and dictate the detail of what specific industry sectors must do to prepare for GDPR. But that doesn’t mean businesses can’t take the initiative and start their preparations now. We asked Christine Andrews ( right), managing director of data governance, audit and consultancy firm DQM GRC for her advice.
“First, organisations need to evaluate the personal data they have,” she told us. “Categorise the data so you’re clear where the personal and sensitive data resides, and where other, less important data sits in the company. Usually, drafting a data map will help businesses to understand the pattern of data through the company, provide clarity on who has eyes on the data, indicate what skills these people have and, finally, highlight where the data ends up.
“Once organisations understand just what personal data they’re holding, they should then ensure that regular risk assessments are completed, in order to understand the level of threat imposed on the company when processing data.
“The GDPR in fact demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data. For organisations that pass data onto others, there is a tendency to presume that third parties operate to high standards of data security and protection. The GDPR now requires controllers to obtain sufficient guarantees of this before engaging with processors.
“Basically, as the data owner, you must check that the organisations you’re working with have effective technical and organisational measures in place to ensure the security of the processing.”