The new General Data Protection Regulation (GDPR) is not all about ensuring that your business or organisation has consent to process personal data; there is far more to it than that. Information governance is a major consideration, as covered by Article 32 of the regulation.
Does this mean that all personal data has to be encrypted?
Many businesses and organisations choose to encrypt all of the personal data that they deal with. However, GDPR does not actually stipulate that this is necessary in order for businesses and organisations to be compliant. It simply states that data needs to be kept and processes securely, in a manner that is appropriate to the level of risk that is present.
Why is the measurement of risk important?
Businesses and organisations that process high levels of sensitive personal data, or whose data processing may involve a level of risk, need to assess risks and potential impacts. Data Protection Impact Assessments (DPIAs) should be used for this purpose. Once high risk data processing activities have been identified they need to be mitigated against. Processes and procedures that are put in place need to be fully documented, in order for the business or organisation to meet compliance requirements.
If there is no apparent mitigation available in a high risk situation the business or organisation should not process the data until it has consulted with the appropriate Data Processing Authority (DPA).
Reporting data breaches
Businesses and organisations also need to have plans in place for the reporting of data breaches when they occur. Any breaches need to be reported to the DPA within 72 hours of the business or organisation first becoming aware of the breach. Planning of this type is an important consideration when it comes to dealing with the information governance aspect of GDPR compliance.