Haven’t paid much attention to getting your organization ready for GDPR? Here are some actions to consider taking:
- Get educated on the law to determine if it applies to you
Review the law, get familiar with its nuances and complexities, and understand how it impacts your organization. Start by visiting the GDPR website at www.eugdpr.org. So, you don’t do any business in Europe or have any employees, vendors, contractors or customers there? If not, perhaps you are safe for now (though you might be in the minority).
- Appoint a Data Protection Officer, if necessary
Organizations that process significant amounts of private data on a regular basis are required under GDPR to appoint a Data Protection Officer. This employee must report directly to executive management and a company’s board, and be responsible for monitoring compliance, advising on all data protection matters, and serving as a single point of contact for regulatory authorities and data subjects.
You’re required to have such an officer if:
- Your organization is a public agency
- Your organization does “regular and systematic monitoring” of data sources on a large-scale, such as automated profiling, behavioral advertising, email retargeting and the like
- Your organization does “large scale” processing of sensitive data or data relating to criminal convictions and offenses
Even if you aren’t in any of these categories, many privacy experts recommend you have such a position anyway to spearhead your organization’s compliance.
- Identify the data you collect and manage that might be GDPR-protected
Simply put, you must sit down and figure out the data systems where you likely have private data. This is a tough assignment because there are obvious and not-so obvious locations. Clients usually get about 80 percent of it right. The 20 percent missed often includes Microsoft Active Directory systems, workloads hosted in the cloud, and disaster recovery systems where the failover is located internationally.
Doing your due diligence here is crucial because you next want to get an outside assessment of your GDPR readiness ─ and where you might have private data is the first question you’ll be asked by the assessment provider. Having a strong knowledge about your customers’ personal data will make for a smoother and more complete assessment.
- Bring in experts for an assessment and gap analysis
PCM’s GDPR experts provide assessments by gauging the impact that the new law will have on an organization. “We look at everything at an organization that might be covered by the law,” Bishoff says. That provides the grist for a comprehensive “gap” analysis of areas out of compliance.
PCM then builds a remediation plan to bring these areas into compliance, including recommending how to arrange systems and processes to monitor data collection and management for GDPR going forward. “Sometimes it’s a change needed in the corporate data governance and policy; sometimes it’s a change needed in a company’s software and hardware solutions, and sometimes it’s both and more,” Bishoff says. (Contact PCM Security at firstname.lastname@example.org for more information.)
- Implement real-time alerts
As noted earlier, GDPR mandates that organizations suffering a security breach report it to proper authorities within 72 hours of discovery (and to also notify affected subjects “without undue delay”). A security platform with real-time alerting capabilities can be a big help here in initiating an attack response and issuing the required notifications.
- Prepare an incident response plan
Recommendations for your incident response plan will likely be covered in your assessment and remediation plan (tip No. 4). But this provision (with all the notifications it mandates) is indeed a challenging aspect of the law. To achieve compliance here, organizations need to spread GDPR education and awareness to their employees and may also need to invest in technologies such as user behavior analytics and AI-powered network monitoring tools, says security evangelist Csaba Krasznay in an interview with SearchCIO.com.
In general, the best incident response is a planned response ─ rather than one made up while you are responding to an incident, where you are bound to get it wrong. Your plan should cover what actions to take following a breach, who oversees those actions, whom to contact, how to keep the business operating, and even whether alternative sites will be needed.
- Monitor your environment with regular assessments
Once you’ve deployed security solutions and other controls to fill all the identified gaps, you need to assess how effective they are on a regular basis. You should regularly evaluate your data protection risks, test your incident response plans, assess the resilience of your systems to defend against identified risks, and gauge the effectiveness of your security controls in preventing data breaches.
You also must vet the security controls of all third-party vendors that process personal data on your behalf, as well as the suppliers you contract with. If necessary, you may need to negotiate new processing agreements with suppliers that require them to comply with GDPR requirements.
8. Don’t regard GDPR as a one-off activity
As noted earlier, GDPR may be the first step in a large-scale global transition toward more heavily regulated protection of personal data. And as we also said, there’s no fairy godmother to transform you into being GDPR-ready overnight. But by making significant investments in time, money and infrastructure to achieve full compliance in the next year, you could save your organization from fines and court costs that turn you into a pauper down the road.
JOIN THE CONVERSATION
Share your thoughts and questions in the comment section below. To get the latest news from PCM, follow @PCM on Twitter, join us on Facebook, or connect with us on LinkedIn. To get the latest news sent straight to your inbox, join our newsletter.