We are now only 80 days to the 25th May 2018 when GDPR will come into enforcement across the EU and in summary, from our initial assessments, very few companies are doing enough to contain the risk.
We have a number of steps in our approach which vary across different customer verticals but let me try to focus on 5 important ones. Let these be 6 best practices approaches for organisations work into their compliance regime in advance of May.
From our research and work with customers from numerous industries, everyone has some risk with GDPR. Unfortunately, the companies with the least amount of budget often have the most amount of risk. In the financial industries, companies are very well setup to meet compliance needs as there are so many other regulations at play. One is Mifid II which came into effect as recently as January 3rd.
Companies based outside the EU will also have to address GDPR and move to a global approach to data protection compliance as more and more countries align to the same level of regulation as undertaken by the GDPR. If organisations located outside the EU are offering goods and services to customers within the EU, they will have to comply whether they are data processors or controllers. You should think here about likes of Survey Monkey, Mailchimp, Google drive and many others which are often used as repositories for customers personal data, yet they are US based companies.
The fines are up to 2% of annual worldwide turnover in previous financial year or €10 million, whichever is the greater for minor breaches and, 4% of annual worldwide turnover in the previous financial year or €20 Million for major breaches. At that level of fine, there are basically no organisations which could withstand that level of fines. Some data protection advocacy groups are warning organisations that they will waste no time after May 25th to make subject matter requests and proceed with lodging cases if breaches are found. The ambulance chasing claims industry is also lining up to enable people to make damages claims against organisations which they are found in breach of the regulation.

1, Starting building your Data Registry
Data is everywhere in organisations. From the visitor’s book in reception, to the list of kids names for the annual Christmas fun day. Passports copies are often held on shared drives to meet other compliance needs for “Know your Customer” KYC regulation, for legal needs or for foreign travel. Multi-function printers hold copies of scanned documents on their internal disks, yet these devices are often the least secure and patched device in the office.
Hope is not lost, as a GDPR project is no different to any other in terms of business analysis skills once you have a good approach. This thinking helps you to reduce costs as you don’t have to choose GDPR experts to discover business processes as this is something you would do by default in most projects by using the skills of a business analyst. If you keep the focus of the business analyst team on discovering personal data and the processes for handling it, then you have the majority of what is needed for entries into the data registry.
The difficulty is having an open mind as to where personal data is stored. Your GDPR consultants will have this knowledge. Let us state some examples we find that an expert in GDPR is more likely to discover.
• The visitors sign-in book at reception
• A waiting list for procedures in a hospital
• CCTV footage of customers in your business
• Scans of passports for KYC checks
• Family and next of kin data held for HR or social reasons
• CV’s of people in email trails or attached to calendar invites
• Citizenship data for travel or visas

These are all areas where personal data is been kept, yet they would not be that obvious to most. 52% of all data stored by organisations, according to a Veritas study, would be these non-obvious categories.
If you don’t know what data you hold, where it is and who has access to it, you are in breach of the GDPR. Mid-sized SME’s must keep auditable records of all processing of personal data, but without a detailed description of the processes that this data is managed by, it will be hard for any organisation to prove compliance under the new principle of accountability brought in the GDPR.
Companies need to be able to know whether any personal data they hold is still needed for the purpose for which it was originally obtained. They then need to delete it if it does not comply with the principle of storage limitation.
Governance and Compliance departments also need to know if the personal data is sent outside the EU so they can put the right data transfer agreements in place to ensure that the transfers are lawful.
To achieve this, all departments should be accessed to understand how they obtain, use and disclose personal data.

2, The tools to aid discover are there.
At all times you need to note the security of the systems that process personal data, and ensure you have adequate and state of the art technology in place to protect it. The hackers, from which you are protecting your data against, will be using the latest hacking tools as they come available.
There are several tools on the market which allow you to document and map your data processes and then add these processes to your enterprise architecture documentation if you have such systems. GDPR promotes the use of a data registry for gathering basic information on data processes. The data registry will be the basis of how you need to audit your data processes and the data that flows through your organisations. With the right data management policies and processes, it is easier to comply with the GDPR.

3 ,The Dark data that is in your organisation
As mentioned above, if you integrate the correct technical tools into your data processes, you can also use tools to discover the more hidden data. These tools can discover the content, location and security controls of the data. Most businesses don’t know where this dark data resides, but it costs money to store and under the GDPR, it can also attract a regulation breach and associated fines. Use the tools to delete any data what you don’t need, and put in place the policies and procedures that will prevent the problem of unnecessary data gathering from reoccurring.

4, Establish processes to allow this data to be accessed fast to meet data subject requests
Under the GDPR each individual, aka Data Subject, within the EU will get new and improved rights around the management of their personal data. For example, each data subject has the right to have a copy of all the personal data that you hold on them, the right to have this data forgotten and deleted or to correct any errors in the data, to have its processing restricted, or request a copy of their personal data to take to another organisation. These requests must be fulfilled within a maximum of 30 days from the initial request. These timelines may look achievable, but there are many considerations
• The amount of personal data that many organisations hold on individuals
• The time it takes to consider the legality of the request
• Proving the individual are who they say they are
• Retrieving the data in all its different formats from numerous systems
• Reading it while focusing on just the personal data
• Considering what data can be held back for other legal or commercial considerations,
• Gaining any compliance approvals
Taking all that into consideration means that the timeline can be challenging and work intensive. If you fail to meet the 30-day limit then you can attract a significant fine. To be able to respond within the 30 days means that all the data processes, data registries and technology must be able to cater for this as the data is both structured and often unstructured in terms of social media data or contracts.

5, Establishing the correct work practices to meet the timelines
To meet the data subject requests, you need to put in place the processes to quickly pass the personal data you can discover and forward this to a compliance team for review. You need to ensure the company has a consistent process and it is not left to individual departments to come up with their own styles of approach.
You need to create procedures to ensure the personal data is
• Disclosed correctly as part of the data subject request
• Deleted when a right to be forgotten request arrives
• Corrected if needed by the data subject
• Exportable to a data subject if they want to port to another company
• Put in place Restrictions in electronic processes if they data subject objections to the processing
All the above needs to also be stored in auditable logs so that you can prove to the data commissioner on request if asked.

6, Start of the art technology and security
Its very important now in the age of pervasive cloud commuting, multiples devices and outsourced services that your company analyses the level of security around how your data is stored and protected.
The integrity and confidentiality principle in the GDPR requires that personal data be protected from loss, damage and destruction. It is therefore critical to make sure that the data is backed up securely, so you can recover it and that any data you remove from systems, is also removed from backups and redundant systems. This would also cover the secure destruction or wiping of hard drives, USB devices, scanners and print devices.
We have uncovered numerous examples of private data being found on personal cloud storage services such as Dropbox or OneDrive or people scanning and sending private data to personal emails or on devices outside the control of the ICT department.
There are numerous ways data can exit a company and often the simplest ways are via tools on peoples desktops or multi-function printers that are not normally restricted.
If companies do their data discovery phases, they are likely to find that personal data is scattered across multiples devices, cloud tools, network shares, personal mobile devices and backup systems.

Conclusion
If you follow all the above suggestions and best practices you can meet the challenges of the GDPR head on and be on a professional footing if the data regulator comes knocking on your door.