What does the GDPR mean for your company's IT department?
The General Data Protection Regulation, better known as GDPR, lays down the rules for the processing and storage of personal data within businesses. The IT manager plays a crucial role in the compliance process.
General Data Protection Regulation (GDPR) is a European regulation with the same legal force as a Belgian law. It lays down the rules for the protection of the personal data and privacy of EU residents.
All businesses that process and store personal data have to take steps to protect that data.
Each Member State has a Data Protection Authoritye (DPA, the former Privacy Commission) which monitors compliance with the GDPR. In case of breaches, the DPA can impose fines. And it does.
What is personal data?
Personal data covers all forms of data with which a natural person can be identified, such as name, date of birth, phone number, etc.
In a business, it mainly concerns customer data, but things like access security using badges, number-plate recognition and camera surveillance also fall under the GDPR.
A business may collect such data but the person whose data is collected has to consent to this.
Moreover, the data can only be used for the purpose for which it was collected, and may not be kept longer than necessary.
Identifying the data
The first step is to carefully identify the data that is collected by your business and how it is used. Talk to the different departments (sales, marketing, HR, accounting, etc.) about the data they require and how they process it. This is a good opportunity for finding out whether the same data is collected or processed twice. Agree to procedures for managing and modifying the data.
A key principle of the GDPR is that people have the right to access any data about them which is stored, and can modify such data or in some cases even delete it. You should also establish procedures for this.
Keep a record
The GDPR requires businesses to keep a record of their processing activities. In principle, this is not required for businesses with under 250 employees unless the processing occurs regularly. This is the case, for example, when you maintain a customer database, employee data, etc. Therefore, a record of processing activities is also required for smaller businesses.
The record contains an overview of the processing activities and should include the following information, among others: the name and contact details of the processing manager, the processing purposes, the type of personal data, the recipients of the personal data, the storage duration, and if possible, a general description of the security measures. The record may be kept on paper or electronically. You will find a model on the website of the DPA
Check your ICT
The next step is to find out which IT infrastructure is used for the data processing. Which servers and systems contain personal data, and which databases and applications are used? How are they protected? Needless to say, data must be protected so that it doesn't fall into the wrong hands. This applies to both external parties (you don't want hackers to run off with your customer base) and internal parties (only authorized persons should have access to the personal data).
Also look out for Shadow IT, or IT systems and applications that are brought in by users themselves. For example, when they use messenger apps instead of e-mail, or when a sales employee places customer data on an insecure USB stick for convenience.
What about data breaches?
A business must also have a procedure for reporting personal data breaches. A data breach can take many forms. For example, a lost or stolen laptop or USB stick, a hacker who intercepts customer data, etc.
A business must record each data breach in an internal log book. The cause, the affected data, and the measures taken should also be mentioned. If the data breach poses a potential risk to the rights and freedoms of the persons concerned, the DPA should also be notified (within 72 hours). In case of a high risk to the persons concerned, they should also be notified. This is the case, for example, in breaches of sensitive information (such as financial situation, health, official documents, and passwords). You should also mention the measures you have taken to fix the data breach and prevent it in future, as well as any measures you recommend the other persons concerned take to limit the potential damage.
Read more on how to protect your company
Interested in sparring with us on how to establish a more pro-active & integrated approach to ICT Security?