Gaining a clear understanding of the data that you hold, what you use it for, where it is stored, and how long you store it, is the first step in understanding both the risks associated with your data, and the task of managing the complex data management processes associated with GDPR. As a reminder, these tasks are:
Managing Subject Access Requests
The customers’ right to have their data ported from your business to another company
The customers’ right to have their data rectified
The customers’ right to have their data deleted
Definitions around your data
The GDPR expand the definitions of personal data which now extend to items such as personal identifiers. Current data protection legislation defines sensitive personal data as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health or sex life or criminal records. GDPR extends this to include the processing of genetic or biometric data for the purpose of identifying a person.
Understanding these classifications is a key part of managing the risk associated with your data.
Once you understand what data you hold, the next step is to classify the data. Data classification will allow you to assess the value and sensitivity of the data in your business. This will allow you to determine whether you have the appropriate risk controls in place.
A framework for understanding and managing the risk of processing data is outlined in the diagram below.
The three broad business objectives of maintaining confidentiality, maintaining integrity and maintaining availability are known as the CIA triad and are at the heart of information security. Useful definitions of these three terms can be found here. These are the principles that any secure business system should adhere to.
Establishing the impact scale of each data element is used to estimate the anticipated level of loss or damage that would result if an incident resulted in a failure to meet one of the business objectives.
An example of impact scale is shown here
Once the impact scale of loss of availability, loss of confidentiality or loss of integrity has been agreed, policies and processes should be put in place to agree the security measures around each data element. This should be a joint decision between business and IT.
Keep your classification updated
Keeping on top of new data sources as they arise, defining what the data is used for, where it is used and the impact scale is imperative to managing your data risk on an ongoing basis.
You’ll find lots of information on becoming GDPR compliant on the Information Commissioner’s website here.
If you’d like to find out how Clearview can help, email Vanessa@Clearview-Consulting.uk