[16.02.2018]

Graphic image of a thumbprint on a keyboard, with the blog title - 3 Stages to GDPR Compliance, Part 3

GDPR Preparation for SMEs

Stage 3 – Right to be Forgotten, Breaches and Repeat.

If you have been following the last 2 stages of our series on GDPR Preparation, you will be on the road to putting into place a reasonably robust start at GDPR compliance.  You’ve identified the data, you’ve located it, you’ve categorised it in a register.  Not only that, you’ve secured permissions, you’ve tested your right to process and you’ve put all the protections in place.  That is a massive achievement, so well done!  Now, at Stage 3, it all gets a little bit easier, but there are still a couple of significant points to keep abreast of.

 

1. Right to be forgotten

A main purpose of GDPR is to give the individual the right for erasure, most commonly known as the right to be forgotten.  This means that the person whose data is being held, has the right to request all data regarding them should be erased.  This must happen without undue delay, if there is no reasonable or compelling reason for the data to continue to be held.  This deletion should be documented, as regulators can ask to see proof that confirms your compliance.

There is little clarity on what erasure means for GDPR, but best practice is thought to include:

Physical Destruction

This means literally destroying hard-drives and other storage devices with “mechanical shredders” or degaussing them (using powerful magnets to wipe devices; think of it as the Magneto effect!).

Crypto Erasure

Crypto Erase sounds exciting too,  but it just erases the encryption key of a self-encrypting device.   While the data remains on the storage device, erasing the original key means the data is impossible to decrypt.

Data Erasure

Nothing to do with the 80’s pop duo, this involves using a software that overwrites and data on the device, causing it to be unrecoverable.  This must be a verifiable process and should produce a certificate at the end to prove that erasure was successful.

 

2. Data Breach procedure

 

Put in place a data breach procedure and practice it.  If you have a breach, you are obliged to notify your LSA (lead supervisory authority) within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.  If this is the case, then your 72 hours start counting down from the time you detect the breach, and not from the time you report it.

 

As part of your Data Breach procedure, develop a Cybersecurity policy. Ensure all encryption procedures are up to date, train staff to detect breaches early, keep records of any breaches and steps made to ensure such a breach does not occur again and a process for complying with the notification process.

 

A notification to your LSA should include
  • Contact details for the main point of contact within your business
  • A description of the nature of the breach
  • If possible quantities of data subjects affected
  • What you think the likely consequences of the breach might be
  • And finally, details of the measures you are taking to control the breach and mitigate the effects of it.

 

A notification to the data subject/s concerned should include
  • Contact details for the main point of contact within your business
  • What you think the likely consequences of the breach might be
  • Details of the measures you are taking to control the breach and mitigate the effects of it.

 

3. Now Repeat!

This is the last stage. Repeat. Regularly reassess your data collection, where it lives and how easy it would be for someone to access it illegally.   Developments in data security and hackers’ ability to pierce them are moving forward all the time.  Regardless of whether your business if affected by GDPR, regular housekeeping in this area is a must for any modern business.

 

Good luck!

 

 

Related items from Artisan Accounts

3 Stages to GDPR Compliance – Stage 1

GDPR Compliance – Stage 2

GDPR – 8 Points You Need to Know

How to Create a Disaster Recovery Plan (DRP)

How to prepare for Ransomware

 

 

Share this post

  •