Elizabeth Denham, CBE was appointed UK Information Commissioner in July 2016. Just prior to the General Data Protection Regulation (GDPR) coming in to force in May of 2018 she was named the most influential person in data driven business in the updated DataIQ 100.
In the information commissioner’s office (the UK’s independent authority) campaign leading up to 25th May 2018, when GDPR became enforceable, Denham said ,‘One of the key requirements in GDPR is accountability; that is being able to demonstrate you are compliant to data protection law’. She further commented, ‘Cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this, not only as they have a duty under law, but because they have a duty to their customers.’
The 4 P’s
The approach to compliance should be very much positive. Aligning to GDPR is an opportunity to take the business through a transformation exercise that not only makes the organisation more resilient, but that can lead to a far better experience for your customers, be they B2B or B2C.
GDPR compliance isn’t going to happen overnight. As recent events have dictated, organisations need to demonstrate flexibility and ensure business continuity. Therefore, a pragmatic approach helps. An organisation can then focus on where the immediate risks are, and how to mitigate or work towards reducing the risk. They can look to creating a security culture, so that organisation wide, all employees adopt the principles of security and privacy by design.
People are sadly the weakest link. There are too many stories that link a simple human error to a data breach as a consequence. One of the 12 steps in working towards GDPR compliance is ensuring all people within the business understand and are aware of what GDPR compliance means. It isn’t a case of a tick box, ‘done that!’; the ‘cyberscape’ is ever more complex. So introducing regular training not only assists in compliance but means you are enabling your ‘human firewall’ to lessen the risk of a data breach via a phishing or vishing attack.
Were you to get a visit from the ICO, one of the documents they would ask you for is a Record of Processing Activity (ROPA). As the name suggests, this contains a general description of your data processes; technical and organisational security measures that make up your safeguards for protecting personal data, e.g. encryption, access controls, training etc.