GDPR Ten Steps To Get Started

15th December 2017 :: Data Security :: Author: Andrew Cope, Managing Director, Evergreen

  1. Undertake a data flow audit, looking for gaps, and making sure all your privacy notices and processes are robust and legal. Make sure you have a record of your processing activity.
  2. Update or create new data policies that contain processes or recipes for your staff to follow.
  3. Automate and Systemise: Where possible, remove the “human element” using systems, helping to secure data and adhering to your policies.
  4. Ensure your data is protected, remains private and maintains its integrity through encryption. Both data “at rest” on your devices, and data “on the move” over the internet or on portable media.
  5. Ensure that all operating systems are supported, patched and updated. Obsolete operating systems and software programs should be removed or quarantined and remain isolated from the company’s network.
  6. All security hardware and software solutions need to be properly configured and passwords changed from default settings. Each time an update to the software is available, there should be policies and processes to ensure the update is introduced into the overall IT system.
  7. Initiate a governance framework to track, measure and report on data processing. Start to develop a risk register. Report to Board Level.
  8. Introduce Cyber Essentials and the ten steps to Cyber Security or become ISO 27001 certified.
  9. Schedule regular and mandatory training for everyone that processes data. This goes a long way to ensuring compliance and demonstrates that you are complying.
  10. Communicate, Communicate, Communicate! Make sure your staff and suppliers are not only aware of GDPR, but that they know, understand and adhere to your data security policies.

GDPR: Help writing policies