05 Apr 2017 | Consultancy | News
One of the most important, complex and time-consuming parts of your GDPR preparations is confirming how (and more importantly where) personal data is being used, processed and protected within your organisation and beyond the boundaries of
your business jurisdiction.
To do this you must:
Preparations for the changes are a marathon, not a sprint therefore understanding the individual areas and acting on them now will benefit you in the long term. Prepare now and minimise the level of operational disruption later.
In this case we will focus on cutting down unnecessary storage and retention of data assets. By cutting the volume of data you hold you are reducing the risk to your organisation. With data storage relatively inexpensive, it’s tempting to hold onto data “just in case”. But getting rid of inactive data that you don’t need (or legally shouldn’t be retaining anyway) can make the difference between a breach being an inconvenience and a total disaster.
When Sony pictures suffered a serious data breach in 2014, spectators called it “the hack of the century”. With an estimated 11.8 million sensitive and personal data entries compromised, it remains one of the highest profile hacks of all time. Had they been more rigorous about deleting inactive data, that number could have possibly been as low as 7 million records. A serious leak by anyone’s standard but it’s a 40% reduction and would have been far less damaging.
If you’re one of the millions of businesses around the world that retain too much, it is something you need to resolve. Assess the data you have and the business justification for retaining it (this may be to meet other legal, regulatory or contractual obligations). Document and define the retention and archive rules for that data then build processes to remove data that exceed these requirements. In short, Insist upon a “sell by date” – and enforce it.
EU GDPR compliance will not happen overnight, and those yet to take the steps are falling behind. Begin your journey with IRM’s ’12 Steps To Compliance’.