General Data Protection Regulation: getting GDPR ready by 2018

General Data Protection Regulation: getting GDPR ready by 2018

General Data Protection Regulation: getting GDPR ready by 2018Gavin Siggers, Director of Professional Services, Iron Mountain

A lot can happen in two years. By 2018 we are expected to have witnessed the first human head transplant, Adobe Flash is predicted to be no more, the UK may or may not have left the EU and the flow of data into organisations will have increased by as much as five-fold, according to IDC.

Another significant development due in 2018 is the deadline for meeting new regulations around the treatment of personally identifiable information (PII). When combined with expected volumes in data growth, this could have huge implications for any business which processes personal data.

Earlier this year, the European Parliament passed the final vote on its new General Data Protection Regulation (GDPR), which is designed to protect personal information in an increasingly digital world. While the new laws won’t be enforced for another two years, it is a relatively short period of time considering that businesses will need to assess the new requirements, evaluate existing measures and plan a path to full compliance.

To help businesses understand the impact of the GDPR on their information management processes and where it fits within the wider regulatory landscape, here are six key steps to getting records GDPR-ready.

What is the General Data Protection Regulation (GDPR)?


Designed to protect personal information in an increasingly digital world, the GDPR is by far the largest shake-up of data protection rules so far this century. It includes more than 50 Articles that have far-reaching implications for organisations and their use and storage of personal data. In essence, the legislation protects the right of a European citizen to determine whether, when, how and to whom his or her personal information is revealed and how it can be used.

The advice of the Information Commissioners Office is that businesses need to start planning their approach to GDPR compliance as early as they can. The problem is that many businesses across Europe remain unaware of how the changes will affect them and the impact they have.

There are a number of important steps you can take now to help your organisation identify where PII resides and understand your obligations towards managing it. With the prospect of multi-million Euro fines for non-compliance, can you afford to wait?

Step 1 – What is personal data and do I have it?

The first step in deciding which parts of the new legislation will apply to your organisation is understanding what is meant by personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ (a person) who can be directly or indirectly identified on the basis of that data. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers within organisations should be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks.

Step 2 – Does GDPR apply to me?

Next, it is important to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. As well as ‘personal data’, key terms to understand include ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment (DPIA)’, ‘the right to erasure’, ‘data portability’ and ‘consent’. For further information on these, go to our knowledge centre, or find the glossary of terms on eugdpr.org.

Step 3 – Where does data live within my organisation?

In order to meet your statutory obligations, you first need to know where personal data lives. A detailed analysis of the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners (people who process personal data on your behalf) will be required to give you the full picture.

Step 4 – Develop a data map and classify every piece of information

Following this analysis, we recommend creating a data map which provides a 360 degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate, assess and monitor all information on an ongoing basis.

Step 5 – Review and update existing policies

Once you know where your information is, you need to know what you can do with it and how long you are permitted to keep it. This requires making sure that your retention policies are up to date, reflecting legal, regulatory or contractual obligations so that you are only keeping what you should and that you’re destroying personal data (and all other records) when you are required to in a defensible way.

Step 6 – Maintain awareness and responsiveness

Finally, it is important to make sure that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, so all parties must understand and comply with the same retention policies. Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes.

Organisations across Europe have long been familiar with the need to ensure that they store personal data according to the latest regulatory requirements. The introduction of the GDPR, however, and associated penalties for non-compliance – which could result in fines of up to 4 per cent of annual world group turnover or EUR 20 million – means that it has now become critical to get data retention right.

Following these six steps is the starting point for avoiding the wrath of the regulators. Failure to act now will leave you rushing to catch up at a time when a mistake or oversight may be punishable by law and could cost your organisation dearly.

[su_button url=”http://www.ironmountain.co.uk/” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]For more information on Iron Mountain click here[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Copyright: Security Buyer

ASIS UK Launches “Security is You(th)” Hackathon

ASIS International UK has launched Security is You(th), an initiative designed to engage students and early-career professionals…
Image provided by Veeam

AI and Ransomware: Cutting Through the Hype

Rick Vanover, Vice President Product Strategy, Veeam discusses how It might be the great paradox: Artificial Intelligence (AI)….
Copyright: Security Buyer

AmiViz Partners with Titania

AmiViz announced a strategic distribution agreement with Titania. This collaboration underscores a shared commitment to enhancing…
Oil and Gas

Navigating Africa’s Oil & Gas Industry

A comprehensive analysis of security strategies in Africa’s oil and gas industry, covering physical, cyber, and remote surveillance measures.
blackhat

Black Hat Europe Starts Soon

Black Hat Europe starts Monday and now is the perfect time to start planning your experience. With a full lineup of Keynotes…

VIVOTEK’s All-in-One Software Boosts Operational Efficiency for Enterprises

As demand for high-efficiency security systems rises among large enterprises, the global leading…
Assa Abloy website

WTC Amsterdam enhances security and efficiency with digital access solution

The World Trade Center (WTC) Amsterdam, home to over 300 companies, has upgraded its building security with a streamlined, digital access solution from ASSA ABLOY.
John Maddison website

Fortinet launches Lacework FortiCNAPP to enhance cloud-native security

In an advancement in cybersecurity, Fortinet has announced Lacework FortiCNAPP, providing organisations with visibility and security.
GITEX Global 2024 website

GITEX GLOBAL 2024: AI revolution drives strategic tech innovation

GITEX GLOBAL 2024 concluded on Friday, showcasing artificial intelligence (AI) as a transformative force driving business and economic growth
Scroll to Top