MEA Q1 2018

MEAMARKETS / Q1 2018 25 GDPR: Data-Protection Soul-Searching, Not Just Compliance 1. Scope . Know what you have. We can’t protect what we don’t know we have. This is a good time for companies to figure out how and where they hold personal data—and not just of EU residents, and not just for its EU affiliates. 2. Protect . Know how you are protecting those assets. Are you doing the basics? Could you do more? Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data? 3. Monitor and detect . Do you have technologies in place (such as encryption, data-loss prevention or anti- virus software) to protect those assets from malicious actors, loss, unwanted leaks? And do you know what to do if something goes wrong? 4. Review . Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them? Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project? 5. Then repeat. The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” Some of the specifics of what the regulation requires will take years to truly understand as regulators and courts issue rulings on what comes in front of them, and companies will have different paths to compliance with GDPR. But at the core of the regulation is knowing what you do with the personal data of your employees and customers, and making sure you have stopped to consider the risks inherent to personal data in your business. Thinking of GDPR as an opportunity to review the robustness of your data protection program and to make reforms that are good security, good business, and the right thing to do turns GDPR from a many-headed monster into healthy data-centric reform. After all, the GDPR tells us that “the processing of personal data should be designed to serve mankind.”