Embedding GDPR and Data Protection in your organisation
22 JanIt’s been 8 months since the EU General Data Protection Regulation (GDPR) came into force, and organisations are becoming increasingly aware that GDPR is not a one-time project.
Understanding the detail and implications of the GDPR is a daunting task, and some companies might still feel that it is easier to bury their head in the sand rather than to invest the necessary resources to achieve GDPR compliance. However, failure to comply with the GDPR leaves organisations open to substantial fines. According to the ICO (Information Commissioner’s Office), this could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).
Based on our experience, it is becoming clear that there is no ‘one size fits all’ approach to GDPR. However, there are a few common steps that all organisations should go through when embarking on the journey to GDPR compliance*.
Step 1: Understanding the GDPR articles
The inevitable first step in GDPR compliance is being aware of and understanding the key GDPR articles. There are many useful information sources out there, but a good place to start is the ICO website. The most important at the outset is Article 5, which sets out the seven key principles of GDPR: Lawfulness, Fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality (security), and Accountability.
Compliance with these key principles is therefore an essential part of achieving good data protection practice.
Step 2: Conducting an Information Audit
In order to ensure that you are protecting your information according to the seven key GDPR principles, you first need to conduct an information audit so that you know exactly what information you hold. As part of the information audit, each organisation will need to look at how they collect, process, share, store and delete data.
Step 3: Creating an Information Asset Register (IAR)
Many organisations associate assets with IT equipment such as laptops and servers (i.e. physical assets).
However, it is crucial that organisations also keep a record of their information assets, to ensure that organisations understand what these information assets are, who are they shared with and how these assets are classified (e.g. OFFICIAL, SECRET, TOP SECRET etc).
An Information Asset Register (IAR) is a centralised repository which contains details of all the information assets held by your organisation. This can include physical assets (such as paper files) and electronic assets (such as spreadsheets) and includes a record of the data being held, and how you store, process and share it.
It is important to know and fully understand what information you hold in order to protect it and be able to exploit its potential. Therefore, creating an IAR is a vital first step to protecting your information assets, as required under GDPR.
Step 4: Data Flow Mapping
Another important step towards GDPR compliance is to understand how information moves through your organisation.
Expanding your IAR to include data flow mapping can help increase the visibility of data flows, which can reduce the risk (and magnitude) of data breaches. In the unlikely event of a breach, an organisation would be able to ascertain exactly what data had been compromised and take the necessary action to ensure that the breach is contained (thereby reducing any further financial or reputational damage).
Following steps 1 to 4 outlined above will not only assist your organisation with protecting its data, but it will also demonstrate to auditors and regulators that you have taken the necessary steps to protect the information that you hold.
How Technology can help….
Whilst it is possible to create and maintain your Information Asset Register (IAR) using spreadsheets and word documents, the real challenge comes from keeping the asset register up to date and ensuring a consistent quality of data. This challenge will only increase as data volumes grow, meaning that increasing numbers of organisations are looking for tools to automate this process. We believe that investing in an online IAR is vital to reducing the ongoing costs of information governance, improving data quality and proactively managing your information risks.
Many of our customers have been looking for a tool to help them align with the major GDPR principles. CoreStream’s Information Asset Management software (IAM) provides organisations with an online Information Asset Register to manage the end to end asset life cycle. It enables organisations to identify, understand and manage their information assets and flows, as well as any associated risks, breaches and actions. Our platform is intuitive, flexible and can be configured to meet our customers’ individual needs.
For further information on CoreStream’s Information Asset Register software and Data Flow Mapping capabilities, please visit our website. Alternatively, if you would like to request further information about our platform or arrange a demonstration, please contact Sophie Lis (sophie.lis@corestream.co.uk).
*This guide is purely for guidance purposes and does not constitute legal advice or legal analysis.
COMPANY
CoreStream Ltd
20 Grosvenor Pl,London,
SW1X 7HN
4th Floor,
New York,
NY 10017
Privacy Overview
| Cookie | Duration | Description |
|---|---|---|
| _GRECAPTCHA | 5 months 27 days | Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks. |
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
| Cookie | Duration | Description |
|---|---|---|
| _clck | 1 year | Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID. |
| _clsk | 1 day | Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording. |
| _ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
| _ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
| _gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
| CLID | 1 year | Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited. |
| MR | 7 days | This cookie, set by Bing, is used to collect user information for analytics purposes. |
| SM | session | Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains. |
| vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
| Cookie | Duration | Description |
|---|---|---|
| ANONCHK | 10 minutes | The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well. |
| MUID | 1 year 24 days | Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. |
| Cookie | Duration | Description |
|---|---|---|
| __cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
| Cookie | Duration | Description |
|---|---|---|
| _gat | 1 minute | Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites. |
| _uetsid | 1 day | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| _uetvid | 1 year 24 days | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| SRM_B | 1 year 24 days | Used by Microsoft Advertising as a unique ID for visitors. |
