In this blogging series I will try to hand you quick, easy and fairly cheap methods to help achieve one of the goals of GDPR namely security and privacy by default.
What is security and privacy by design/default?
Security and privacy by design is one of the key principles of the new regulation as seen in article 25.
Privacy and security by design requires a company to process personal data with data protection and security in mind in every step.
These steps include the design process, development, design of the IT infrastructure and much more. In short it means that privacy and security must be built-in for the entire lifecycle of the process.
The importance of communication and awareness
It will be the duty of the Data Protection Officer (DPO) to maintain compliance to the new regulation. However every single employee will have the responsibility to handle personal data with care. And often people working with personal data have not been made aware of GDPR. They might have heard that there is a large “GDPR-project” running and that is a lot of work etc. However they might not know the big changes that will come with the new regulation. As company you will be the one liable for possible data breaches. So having your employees informed is in your best interest.
GDPR requires a change in attitude of handling personal data and this will have its impact on your business processes. As a company you want a clear vision on how your company functions. But most of all, you want your company to be compliant to GDPR. This can be a difficult process especially in older companies which have the attitude of a family business. The solution is to have your GDPR team organise training sessions and awareness campaigns.
Involve your employees
Employees like it when you involve them in new projects and inform them about updates or changes regarding to the company. So involve them. Achieve this by sending a clear communication explaining GDPR and the changes it brings. Explain what rights the data subject will benefit and which duties the company has towards the data subject but most of all the importance of GDPR. You can find more on employee rights here.
Send regular reminders about good pratices how your employees should handle personal data with care (e.g. only send copies of files containing personal data if necessary and only send them using official company communication channels). Another option is to have e-learnings within the company using the IT Governance you have installed, which by the way will be another topic in a following blog.
So make sure your company and employees are ready for 25/05/2018!