I’m sure that most organisations will be very aware that the new GDPR regulations will apply from 25/5/2018 –one year to go. I’m not sure, however, that most organisations are confident that they will have the processes and tools in place to ensure that they will be compliant from this date.
A recent survey by IASME Consortium found that, of the business that responded:
- 6% felt that implementation of GDPR would take a year or more
- 2% said they hadn’t considered allocating resource yet
- 21% of businesses acknowledged that they understood what GDPR is
So, what solutions are out there to help you solve your GDPR problems? From what we see, there are a number of tools in the marketplace that take a very IT security driven approach to GDPR, e.g. which applications/databases hold GDPR data, lock them down, control user access, etc., which is obviously important and a good place to start to avoid any initial ‘fires’. But, this is a very bottom up approach to the problem. The new regulations put an emphasis on the business understanding – why is the data being collected in the first place, are you getting consent, and so on – check out the excellent 12 steps document from the ICO at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf for more information. As a starting point then, organisations need to define the data they use that falls under GDPR, understand which processes collect and use this data, capture what the legal basis for use is, how consent was gained from the client and where this consent is stored. So, whilst the tools focusing on the IT side of GDPR are absolutely crucial, they do not address these business requirements.
So how do I use Essential to support GDPR?
Essential has the means to support these business requirements using the existing process definitions within the meta model, which are already linked to information, applications and legal obligations – which we use to capture the legal basis for use and consent.
The out of the box views cover a number of the questions you need to answer, and we are finalising a complete pack with a GDPR partner that will support organisations in understanding the situation from top to bottom in one tool:
From the business questions:
- What personal data do you hold?
- Where did it come from?
- What is the legal basis for the data being held?
- How was consent received?
- Who do we share it with?
- How long do we retain the data for?
To the technical questions:
- Where do you hold it?
- Where is my technology risk greatest?
- How do we dispose of the data?
For those not already embarked on the GDPR journey we would recommend starting to capture your processes now – whilst not rocket science this will take some time and produce a level of detail that will not be easily managed in a spreadsheet. This initial step is crucial in meeting the 25/5/2018 deadline.