Step four – Start with your top priority
Once the data has been identified, it’s important to start evaluating the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. When looking at the most private data or applications, businesses should always ask if they really need that information and why. This data is always of most value to a hacker and hence has the highest risk of being breached.Businesses should complete a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, evaluating data life cycles from origination to destruction points. It’s important to remember when doing this, of the rights of EU citizens, including data portability and restriction of processing. The “right to be forgotten” is one to consider as part of GDPR. This is data third parties can use to identify someone must be deleted if requested and approved by the EU. It’s vital this data is correctly destroyed and can’t be accessed.>See also: Change is coming: the GDPR stormFrom here, companies should evaluate their data protection strategies – how exactly they are protecting the data (for example, with encryption, tokenisation or psuedonymisation). This must focus on the data they are producing, data which has been backed up – either on-site or on the cloud – and historical data that can be used for analytical purposes. Businesses must ask themselves how they are anonymising this data to protect the privacy and identification of the citizens it relates to. Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct manner.