How to Start Preparing for GDPR in Seven Easy Steps
Security | Jun 21, 2017
The last time the EU undertook a major change to data privacy laws was 1995 and less than 1% of the world’s population was online. Today, 49% of people are online, and on May 25, 2018, the EU will begin enforcement of the new General Data Protection Regulation (GDPR).
The regulation includes significant new regulatory and reporting requirements for any organization doing business in the EU. It also includes significant teeth – fines for non-compliance could top 20 million Euros.
With 11 months remaining before GDPR goes into effect, you would assume most organizations are well underway with planning efforts… right? As it turns out, most have a long way to go. Per a recent survey we conducted with SC Magazine, 24% of companies say they won’t be compliant when the time comes. Another 30% are working on compliance, but don’t have a timetable for roll-out.
More than a year has passed since the announcement of the GDPR enforcement date, and only about 16% of businesses surveyed have reached advanced stages of compliance planning.
Forensic security solutions from Guidance Software provide the 360-degree visibility you need to understand your data. We help protect the data for many of the largest organizations, in some of the most regulated industries, in the world. We understand how data, security, and compliance come together. Our advice: if you have not already started planning for GDPR compliance, START NOW. The best place to begin is with understanding your data. We developed the following 7-step process to get started by better understanding your data:
#1 Before anything else, answer this: Does GDPR apply to me and my data?
GDPR does not apply solely to Europe organizations – it affects any organization operating in any country that has data in the EU. Next, the type of data included in the regulation is broad and includes all “data processing” of any data in any fashion – such as collecting it, recording it, structuring or storing it, adapting it, retrieving it, using or disclosing it or even erasing it. If your business does any of this, read on.
#2 Learn everything you can about your data – You need to delve deeply to understand not only where is it stored, what is stored, and how everyone uses it, but you need to understand what are the current processes for action in the event of a breach. Document your answers and put someone in charge of maintaining this information going forward. Furthermore, map your current processes against the requirements of GDPR as they pertain to their specific situation. This may require a close review of the regulations by your team.
#3 – Conduct an internal audit – to both identify and review the technology solutions you need to achieve compliance and determine the people required and the processes necessary to transform internal practices in support of the new regulation. If your legal, HR, information security, or other departments are moving protected data between countries, you need to understand those data transfers. Get to know your business processes in depth including all data sources and the locations data lives.
#4 – Perform a gap analysis – Achieving full GDPR compliance may require you deploy multiple technology solutions to address various threats. It’s important to understand the full risks inherent in your complex business processes, and to bolster security where a single solution may have blind spots. For example, a company may have robust security in place to handle credit card processing, but what about managing this same data inside the organization where it may be copied, printed, or transferred? What your employees do with the data once its received will now be under scrutiny and require more comprehensive security than in the past. Taking the time to process map and conduct a gap analysis on your situation can be an extremely valuable exercise.
#5 Address your issues individually – Everyone will be unique in their needs but now is the time to determine the scope of the technologies you need to fit the processes you currently have. Put a plan into motion and create an incident response plan including testing and updating procedures.
#6 –Adopt best practice routines for data management and maintenance - Implement a routine of regularly updating your organization’s documentation so that you always have access to the data you need when you need it. GDPR will require that in the event of a personal data breach, companies must alert authorities with detailed information about the type and number of records and possible consequences, all within 72 hours, meaning time will be of the essence and quick action will be paramount.
Make it a goal to constantly verify that sensitive data is not leaking into unauthorized, less secure systems. Require ongoing internal reporting to insure effectiveness in this effort.
#7 Recruit, hire and train a Data Protection Officer (DPO) – Hiring a DPO is actually mandated by the new regulation. Put this person in charge of all the items on this list. For too many organizations, the responsibility for data risk management has remained spread across multiple departments and stakeholders including IT, Legal, Security, etc. A clear chain of command will help your company better manage its processes and demonstrate compliance to authorities.
Going forward, remain focused on continuing education for your workforce and your board. Digital Risk Management should elevate to a critical topic among senior business leaders. Bring these teams together frequently for educational sessions and risk mapping so you can build a universal understanding among the team and foster a shared understanding of the critical nature of your work. Over time, your leadership will emerge as key stakeholders in helping your organization keep in sync with requirements and remain compliant for the long haul.
Want to know more?
Guidance software has been helping our customers understand and comply with data privacy and other regulations for years. We can help. To learn more, Contact Guidance Software to speak with one of our experts and arrange a Demo of EnForce™ Risk Manager, or visit https://www.guidancesoftware.com/enforce-risk-manager for more information.
- ComputerWeekly: Almost a quarter of UK and US firms likely to miss GDPR deadline
- Security Week: GDPR Industry Roundup: One Year to Go