I was speaking at an event in Stockholm recently, and was preceded by an eminent lawyer in the field of data protection. He was telling the audience how, after years of discussion, the European Union’s new data protection framework, the EU General Data Protection Regulation, has finally been agreed upon. He gave lots of detail on the specific obligations organisations will now have to comply with to ensure the protection of personal data, but in essence his message boiled down to three things:
• You are accountable and need to be able to demonstrate compliance coherently across your processes, employees and systems
• If you get it wrong, it’s really going to hurt
• You need to start thinking about how to become compliant before it’s too late
Enterprises and government bodies are complex beasts. They hold large volumes of personal data in a variety of internal silos, and share it across partner organisations and international boundaries. With the rise of business process outsourcing, putting in place proper controls has become a complex problem.
Central to solving that problem are your end users. It is your users that speak to your customers or citizens on a daily basis, capturing and processing personal data. Only if users are active participants in your EU GDPR controls framework will they become more accountable for the information that they create and handle.
Data classification helps organisations understand and control their data estate; identifying where and what personal data is held and enabling existing and newly created documents, reports and emails containing personal data to marked as such and protected in-line with its sensitively.
To demonstrate organisational accountability, you need to demonstrate end user accountability. You need to go beyond the once-a-year training on data protection and give end users tools that will inform them of their obligation, and will help them comply with their own responsibilities. This will help promote a culture of security which in turn will minimize the chance of a personal data breach.
As ‘Mr. Eminent Lawyer’ said, “If you get it wrong, it’s really going to hurt.”
For more information on how data classification can help your organization become compliant with EU GDPR, visit our website.