Article content continued

Third, you must have the ability to act on those data sources in the way of classification, retention, collection, staging and security.

Tyrer offers the following basic roadmap to compliance:

Identify all your data sources you can. “Create a listing of assets: These are the apps we have, the file servers, the mobile devices that we know of, the clouds we interact with. Make sure you can be at a place where you can search across data sets and collect them when needed.”

Figure out what rules you need to wrap around the data. “There may be different security requirements for different datasets,” Tyrer says. “What data should be where? Set rules around who can interact with data and where it can go. If you need to do something with that data or find an element in it, what processes do you need to follow? Do you save it or delete it after a certain time?”

Start small and build. “If you’re put off by such a big problem and don’t know where to begin, start with one thing and move on to the next data set you want to address. Email is often a good place to start,” Tyrer says. Key areas to look into include the cloud and the endpoints, such as mobile devices.

As the GDPR deadline nears, Tyrer says organizations who have been holding off on their strategies need to do something, “even if you don’t know what that something is. If you don’t (act), then you’re in trouble.”

Despite the logistics and associated costs, GDPR compliance could be viewed as a competitive advantage, he adds. “If you can claim some semblance of GDPR compliance, you would be looked on more favourably by the EU as a foreign company doing trade.”