A guide to GDPR for IT
As we get closer to the deadline we release the fourth guide to GDPR by function, this time for the IT function. Focusing on the three top preparations that the IT function can prioritise in the run up to the deadline and the themes that will be important to them.
The EU General Data Protection Regulation (GDPR) is almost upon us and takes effect on 25 May 2018. IT teams have a key role to play in helping businesses to ensure that they are able to meet the requirements of GDPR.
Any data that you or a third party, collects, processes and shares about employees, contractors, consultants, customers, clients or visitors must comply with the principles of GDPR. It is your responsibility to ensure third parties are compliant.
Top three preparations
Know your data
You will be expected to help the business respond quickly and effectively to people, including employees, exercising their rights under GDPR. To do that you need to carry out a data mapping exercise to find out what data you have, where you have it and how you can consolidate it to reduce the privacy risk.
Know your suppliers
You should know what third parties are doing to collect and/or process personal data on your behalf, including how and where they are storing and sharing that data. Using a risk-based approach, you can ensure the contracts that you have with suppliers are fit for purpose under GDPR and what happens to any personal data when the contract ends or is cancelled.
Be clear about your objectives
Whether you are buying in products/services or developing them yourself, you must ensure that privacy, as with security, is considered from the very start. Whether its new technology or high risk processing, you must do a data protection impact assessment as early as possible.
Top themes to focus on
It is important to recognise that security is only a part of getting GDPR right. It is, however, an important part. We advise you to have a risk-based, structured framework in place to give personal data the protection it needs. Developing and maintaining such a framework is extremely important but it does not need to be an onerous task.
Privacy by Design
Your IT processes should consider privacy at all stages. If you are procuring or developing your own solutions you will need to ensure that you have security by design. You will be required to help other areas of the business with their privacy by design activities, such as data protection impact assessments.
Things do go wrong, even with the best technical controls in place. Human error can never be totally eradicated. It is therefore important that you have a plan in place for when something does go wrong. In addition to a plan, it is also important to test it thoroughly with those who are likely to be involved in a personal data breach. The incident response team will be wider than your IT team but they will have a key role to play.
We have a whole host of other supporting material on this subject which can be found here.
Published date:  27 April 2018
Written by:  Stephen Bailey