Personal information is an asset that can create more value for customers, hence people want to share their data with organizations. However, the EU General Data Protection Regulation (GDPR) says we have to manage their data properly.
From 25 May 2018, this applies inside and outside the EU, compelling organizations to process personal data lawfully, meet notification periods when there’s a data breach and demonstrate GDPR compliance even without a breach.
The regulations have a wide definition of what personal data is and includes any information relating to an identifiable person. So, if you hold pseudo-anonymized data, protecting it will depend on how much it would take to reverse anonymization.
GDPR – new rights
The new rights affecting people’s information enshrined in GDPR include:
- Right to be informed – i.e. transparency about how you use personal data
- Right of access – to access your own data and confirm it’s being processed
- Right to rectification – correcting incorrect personal data
- Right to erasure – removal of all personal data from everywhere you might hold it
- Right to portability – the ability for people to obtain and re-use personal data
- Right to object – for example, data use in direct marketing
- Rights related to automated decision-making
GDPR enforces accountability and governance within organizations, demanding they show appropriate risk management and steps taken to protect data. That includes obtaining and proving you have permission to process people’s data.
GDPR and RESILIA
If GDPR makes the threat to data and personal information from cyber-attacks even more daunting, what can organizations do to prepare and minimize the risk?
AXELOS’ RESILIA best practice offers a lifecycle approach to cyber resilience. It combines the ITIL® framework for managing IT with an information security approach and is ultimately about establishing trust and transparency with customers by preventing cyber-attacks, detecting them if they happen and correcting what goes wrong. It’s impossible to stop all potential cyber-attacks and breaches but you need to be sure you can detect what you can’t prevent and respond effectively – with limited impact to business processes.
While many organizations invest in security technology such as firewalls and encryption, the equally important factor is your people. The 'human firewall' is one of your best defences we have against cyber and data privacy breaches.
RESILIA is also about risk mitigation and recognizing the balance between managing risks and enabling business opportunities. Therefore, the guidance helps organizations to build a management system – a well-controlled, managed environment – that helps compliance with GDPR. A well-designed management system with effective processes also provides the audit trail required to demonstrate your organization is doing everything it can to prevent a breach, which would be taken into account by the ICO in the case of a breach.
How else can RESILIA help organizations?
- Policy management: creating and managing policies GDPR requires
- BRM and stakeholder management: ensuring security requirements are understood
- Recruitment and training: finding the right people, providing ongoing training and auditing that they’re doing what they should
- Supplier management: managing supplier risks. GDPR puts obligations on data processers so do you know what they’re doing to protect you and your data?
- Service Level Management: for example, responding to requests for data information; communicating with regulators and affected customers within three days of a breach
- Testing: ensure controls are working
- Access management: permissions are integrated for joiners, movers and leavers
- Incident management and continuity management: for breach management and 72-hour notification
GDPR: accentuate the positive, eliminate the negative
Documenting all the personal data you hold in your organization means you have a valuable asset – knowing what it is, where it is and what rights you have to use it. This opens up opportunities to see how data contributes value to your operation. In this way, GDPR turns from threat to opportunity, creating new ways to realize value.
Complying with GDPR is not only the law, it’s also doing your organization and your customers a lot of good. Also, don’t mistake this for a technical exercise; GDPR is first and foremost a business project.
You can watch our webinar again, with me and Dan Cole, Future Portfolio Lead, AXELOS Global Best Practice.
We also have a free analysis tool called RESILIA Snapshot, which is mapped to the 29 control areas outlined in the RESILIA Best Practice Guide. By using our tool, you can identify where your strengths and weaknesses lie in your security controls and processes. Try for yourself today!
In addition, RESILIA Frontline – our cyber security and data protection awareness training for all staff – will help educate your employees to make the right decisions, at the right time. Request a free live demo today to see the full suite, including our newly launched GDPR module.
Make your people your greatest defence against cyber and data privacy attacks with RESILIA!
Read more AXELOS Blog Posts by Stuart Rance
Personal data and GDPR: handing over the “car keys” with confidence
ITIL® Update: Putting principles before process
Service Desk Improvement - Part 1
Service Desk Improvement - Part 2.
Service Desk Improvement - Part 3
How does 'Focus on Value' relate to the rest of ITIL Practitioner Guidance?
ITIL® Practitioner - Focus on Value