Last month I attended ENISA’s Security of Personal Data Processing Event in Athens, Greece. The event was organised together with the Digital SME Alliance and the Hellenic Data Protection Authority. During the day experts in the field, including myself, shared their advice and journey of complying with the General Data Protection Regulation with a focus on SMEs.
My presentation provided a holistic approach of the selected tools and best practices available in the market in order for SMEs to comply with the GDPR, starting from the principle of data protection by design and by default, which is a principle that touches all stages of a processing activity – the lawfulness and fairness of the processing, the transparency to the data subject, the collection of personal data for specified, explicit and legitimate purposes, the minimisation, accuracy, integrity and confidentiality of the personal data, and the appropriate storage limitation. In order for a company to ensure that it has taken all the necessary compliance measures, the Information Commissioner’s Office – the Data Protection Authority of the UK, has created the Data Protection Self-Assessment Toolkit. Additionally, the Hellenic Data Protection Authority has drafted a 10-step preparation guidance, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés has drafted a Guide to Assist Processors, and the Italian Data Protection Authority, the Garante, has drafted a Guide for the Application of the GDPR. These tools give preliminary guidance to companies acting as both data controllers and data processors.
Below are five main takeaways from the day:
- A data protection compliance framework must be drafted based on the risk-based approach – companies should evaluate the risks inherent in the processing activities and implement a framework to mitigate those risks;
- Adhering to codes of conduct or certifications is an efficient method to demonstrate compliance – companies may search for certifications or codes of conduct that apply to the kind of processing activities they conduct and apply for their approval to certification bodies;
- SMEs are also requested to follow the risk-based approach to be aware of what data-security risks they are open to and can then select adequate service providers according to their security goals;
- In the long term, a company should aim for resilience – moving from prevention to resilience may be a difficult task but it will be the most powerful method to handle data breaches and cyber security risks in general;
- Companies should “think privacy – design privacy” – privacy should be implemented from the earlier stage of designing projects, processes, new goods and services.