After reading our blog “Initiating Steps On The Path To GDPR Compliance” and completing your data mapping exercise, you should now have an understanding of what data your company collects, how it is used, where it is stored, who has access, and when and how it is deleted. What should you do next?
For the next step, you need to assess the identified data flows and rate their importance and sensitivity. You may need to have different rating scales to consider, both from the company perspective and an individual’s viewpoint. Proprietary information does not mean much to an individual, just like a social security number does not mean much to the company’s overall survival. So, data’s value is determined by the owner’s perspective.
The Importance of Risk Assessment and Management
One of the big components of the GDPR is risk assessment and management. By having an active risk management program, you can address many areas of the GDPR. Your data mapping and ratings need to be brought into your risk management program, by assessing the risks associated with the data. Using a risk-based approach has three main benefits.
- A risk-based approach is an effective tool for ensuring a high level of protection of the rights and freedoms of individuals. It allows resources to be dedicated to the areas where the risks and potential harms for individuals are most significant and to mitigate these risks. This creates better outcomes and more effective protection for individuals.
- Risk assessment helps organizations devise effective and appropriate mitigations and controls by assessing the likelihood and significance of the impacts and any potential harms to individuals. This approach ensures that the benefits of the processing activity are maximized while the negative impact of the activity on the rights and freedoms of individuals is minimized.
- A risk-based approach to data protection enables organizations to prioritize tasks and allocate their resources effectively while protecting the rights and freedoms of individuals.
While you could just address all the data flows generically in the risk assessment, that approach probably would result in the overprotection of unimportant data. The other extreme of separate risk assessment for each data flow can bog you down needlessly. By grouping your data flows and then evaluating the category simplifies the approach. Plus, new data flows can be placed in existing categories and then easily come online without a new risk assessment.
The risk assessment output should identify and specify the controls required to be placed on the data. This includes things such as user access lists, acceptable storage locations, deletion dates and backup procedures. The GDPR requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Other factors include state of the art, the cost of implementation and the nature of the data processing.
Protect Your Data By Encrypting It At Rest
One of the best protections to place on your data is to encrypt it at rest. But, that is also the easiest way to lose access to your data. Do not start encrypting data or drives without a proper encryption key management program in place and tested. This is not an area where you should scrimp and attempt to save a buck or two. Make sure it is fully redundant with multiple access methods. Relying just on your network admin and their laptop is the surest path to disaster. Encryption at rest is considered a standard industry practice, so if you do have a breach and your data was not encrypted, regulators are likely to be more severe in their reaction. And don’t forget any backup data that you create on a regular basis!
Learn more about how Optimal IdM can help you achieve GDPR compliance by contacting us now.