Associate feature: Why does your organisation need to prepare for a data breach?

It’s now not a question of ‘if’ but rather ‘when’ the next data breach will occur. Data breaches pose a significant threat to organisations regardless of size, sector or location, and although it has now been six months since the EU’s General Data Protection Regulation (GDPR) came into effect, European organisations – and many others globally – are still faced with the practicalities of trying to understand how to best implement data protection and processes for responding to data breaches.

2018 has seen major organisations such as British Airways, Reddit and Cathay Pacific suffer data breaches, bringing the issue of data protection into the zeitgeist. These cases follow the much-publicised WannaCry incident of 2017, when more than 300,000 NHS computers were infected and led to damages costing in the region of £1 billion.

On 24 October 2018, Holyrood’s Future of Data Protection Conference, supported by the Information Commissioner’s Office, took place at the prestigious Dynamic Earth in Edinburgh. This day of workshops, networking and panel discussions saw key decision makers within the data protection field share knowledge and advice about the key areas affecting the public sector.

IT Governance sponsored the panel discussion concerning the chief information security officer and data protection officer roles. Debate was lively with great audience participation, but it became clear early on that organisations still have much to do on their GDPR compliance journeys, as a lot of confusion exists. 

Our speaker, Stuart Skelly, who is one of IT Governance’s vastly experienced GDPR consultants, shared his insight into the challenges facing organisations, as well as advising those that hold vast amounts of personal data how they can become secure.

He said: “Organisations must implement a practical, feasible document management policy (including a data retention and disposal policy). Public-sector organisations hold so much personal data, in so many locations and for so many different reasons, that this can be very difficult to create and to manage/monitor adherence. But it is one of the absolute foundations of a successful GDPR/Data Protection Act 2018 compliance strategy.”

How do you make sure that your data is secure? Where do you start?

The best place to start is by conducting a data protection impact assessment (DPIA).  DPIAs help organisations identify, assess, and mitigate or minimise privacy risks associated with data processing activities. More importantly, they also help to pinpoint security vulnerabilities, which means that issues are resolved early in the process, and organisations are able to build better, more cost-effective, secure systems.

What does a DPIA involve?

First, identify whether the inherent risks of your processing operation require a DPIA. Article 35(1) of the GDPR states that you must undertake a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of data subjects.

Once you have determined whether your organisation requires a DPIA, you must be able to describe the information flow: how the information within the processing operation is collected, stored, used and deleted.

The long-term benefits of a DPIA

As mentioned, avoiding the financial penalties associated with the GDPR is one of the major benefits of conducting a DPIA.

Consistent use of DPIAs increases employees’ awareness of privacy and data protection issues. It will also ensure that all relevant staff involved in planning projects consider privacy in the early stages and adopt a ‘data protection by design’ approach.

What do I do next?

A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.

IT Governance provides a number of DPIA solutions, as well as GDPR services including training, that can help you fill the gaps in your GDPR compliance. As a leading provider of GDPR expertise and solutions, IT Governance supports organisations of all sizes in initiating and maintaining their compliance projects through books, documentation toolkits, staff awareness, compliance tools and consultancy.

To discuss your GDPR concerns or requirements, contact us today.

Alan Calder is founder and executive chairman, Scotland, of IT Governance Ltd

This piece was sponsored by IT Governance