Public Services > Central Government

EU GDPR: One year Left to Comply

Published 25 May 2017

With the clock now starting to tick louder down to GDPR, Richard Stiennon, chief strategy officer of Blancco Technology Group, sets out the steps organisations should take to achieve compliance


Today marks exactly a year until the EU GDPR, a game-changing data protection regulation, comes into force. It is comprised of many legal requirements, each of which is extremely complex and covers any type of Personally Identifiable Information (PII) that can be tied back to an individual. For example, citizens’ banking information, health records and government identify records.

The requirements are stringent and the penalties for non-compliance are severe; up to €20m or 4% of the organisation’s global turnover. As a result it will require a significant overhaul of IT infrastructure, processes and tools, and additional budget to be allocated to on-going compliance. Network, endpoint and data security measures will continue to be deployed where they’ve always been needed. However, they’ll also need to be deployed wherever they’ve been lacking because a financial calculation based on risk alone did not justify it.

There is no magic bullet for ensuring compliance. It is simply a case of putting in the time and working at it on an on-going basis. Therefore, with just a year to go most organisations will hopefully be deep into their preparations.  However, our research shows UK organisations have been slower to act than their European counterparts, with uncertainty around whether the legislation would apply after Brexit arising as a possible factor. For those who are just starting out, or are not as advanced in their preparation as they’d like, here are some actionable steps you can take to get back on track by 25th May, 2018.

Identify and locate all customer data that is stored both on-premise and off-site

The regulation calls for protecting that data.  It is hard to protect something you cannot find!  A key component of the regulation is the ‘right to be forgotten’, which gives individuals the right to have personal data erased “without undue delay”. Identifying all locations, databases and formats in which data is stored is half the battle in responding to these requests. Once all this data has been located the next step is to erase the data permanently so that it can never be recovered. Don’t be fooled into using insecure and unreliable data removal methods such as basic deletion and free data wiping solution that offers no verifiable proof that erasure has taken place. These may not be enough to demonstrate compliance with the regulations. Keep in mind the maxim: if there is no record, it did not happen when it comes to compliance.

Determine who has access to data and the levels of control assigned to each individual

Restricting access to sensitive data only to those individuals who need to see it significantly reduces the overall threat envelope. This reduces the overall cost of on-going compliance monitoring and minimises the chances of an employee error resulting in a devastating data breach.

Establish written policies for data retention

These should specify exactly when, where and how data is to be permanently erased. For example, when citizens demand it, regulations require it or when the value of the retained data is less than the liability of holding on to it. Reducing the overall pool of data held by the organisation can diminish the number of data subjects impacted by a data security incident.

Hire a Data Protection Officer (DPO)

Depending on your organisation’s budget and resources this should be done in one of the following ways: a) hire a dedicated person to a newly created role b) assign these responsibilities to an existing employee c) outsource the role to a consultant. Whichever model you choose for the DPO, make sure this role is able to work across departments and is involved in all matters related to the protection of personal data in a proper and timely manner.

Conduct Regular Internal audits

Working closely with other stakeholders inside the organisation the DPO should regularly monitor how employees are collecting, storing and managing data across all stages of its lifecycle. Conducting internal audits on a regular basis will help identify gaps in data management and protection practices so that the necessary steps can be taken to improve upon such practices.

Keep communication channels open

The DPO should first notify their regional Data Protection Supervisor of their contact details and follow up with regular communications. When a breach occurs (and it will) the DPO has only 72 hours to notify the DPS.

 Richard Stiennon is chief strategy officer of Blancco Technology Group

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.