GDPR: What does compliance even mean?
MSPs that dream of a quick fix or one-time solution are going to be sorely disappointed. The ability to comply with the GDPR is going to require a continuous effort. The reason is perhaps the most significant addition to the GDPR compared to previous data protection legislation. Including the Data Protection Act from 1998. In this blog post, we explain to you why that is and what you can do to reach compliance.
The accountability requirement
That addition is the new ‘accountability requirement’. The important thing to understand is that companies are required to be able to demonstrate how they comply with the key principles of the GDPR. Companies will need to update how they approach and process personal data on a constant basis. Each time working methods are changed, new types of customers are brought along or personal data registered in a new way, companies need to keep the protection of personal data up-to-date. Otherwise, they won’t be able to demonstrate to relevant authorities how their working methods are in compliance with the GDPR.
Compliance with the GDPR
To comply is to document that you respect the data protection principles of the GDPR. Those principles include that personal data is processed ‘lawfully, fairly and in a transparent manner in relation to individuals’. They also dictate that personal data ‘should be collected for specified, explicit and legitimate purposes’. And personal data should never be ‘further processed in a manner that is incompatible with those purposes’.
MSPs will need to start preparing right now if they want to comply come spring 2018. And perhaps the most effective approach is to break the concept of compliance into small pieces. We suggest the following route:
In the opening phase, companies need to create an overview. All of the company’s data should be mapped. Where is data located, who can access data and what purpose does it serve to the company?
Step: Gap analysis
Quite simple but also quite extensive. In the second phase, companies compare their findings from the identification phase with the actual requirements from the GDPR. This process will make clear which steps are needed to comply.
Another big one. Companies now have a thorough understanding of their personal data and the gap between current procedures and those needed to comply with the GDPR. Organisations that didn’t pay much attention to the DPA will have a huge task right here, but the job is to implement the principles of the GDPR in working procedures.
Prepare for the worst
In case of a breach or leak, how is the company going to respond? Procedures should be in place to identify what types of data were leaked, which parties leak involves, what are the consequences and how can we make sure that it doesn’t happen again?
We’re back at the ‘accountability requirement’. Companies need to make sure that safety procedures are coordinated with business activities. A constant effort.
If you follow these five steps, you should have a very good chance of compliance with the accountability requirement.
– The ‘accountability requirement’ asks that companies are always able document how they comply with the data protection principles of the GDPR.
– Because of the ‘accountability requirement’ compliance is going to be an ongoing process for companies.
– MSPs will need to break compliance into small pieces. The first step is identification.