The last-minute guide to GDPR: How to find and fix your biggest compliance risks
When the EU Parliament approved the General Data Protection Regulation (better known as GDPR) in April 2016, the compliance date of May 25, 2018 seemed eons away.
Now, less than a month from that date, some organizations still haven’t started preparing, or have insufficiently prepared.
According to a survey conducted by the Cloud Security Alliance in April, 83 percent of organizations do not feel prepared for GDPR, while 27 percent organizations have little to no familiarity with GDPR.
If you fall into the latter group, read up on the requirements here. For the rest of you, it’s time to get to work.
The question is, how can you make up for lost time?
Where to start in a last-minute dash to GDPR compliance
First and foremost, you need leadership buy-in to sponsor policies and processes and to provide the resources to get the job done. As with most IT projects, failure to get this buy-in at the beginning will result in failure. After you have established organizational support, organizations should designate a GDPR officer responsible for privacy concerns. This role is a GDPR requirement, and the person appointed is often an existing compliance officer or security leader.
Then you need to determine the risks to your organization. Have a third-party complete a security assessment to measure the efficacy of existing security controls as they impact privacy and communicate to leadership any existing compliance risks. With this assessment completed, you will at least know where you stand and have a roadmap for establishing a corrective action plan.
Step 2: Data characterization
Most technical teams are not fully aware of what types of information their organizations’ environments hold. Knowledge is often siloed, and while there might be general knowledge of the internal or cloud storage where data resides as well as what is shared with outside partners, some questions are more elusive: How much data is involved? What types of data exist? And where is it stored?
Of course environments are dynamic so no one technical component will give you a clear sense of the data you have. To get a full picture, ask all pertinent department leadership to communicate what information they currently use or store. Legal, Human Resources, IT, and Engineering teams need to conduct their own back-end research to assess what they are working with.
Each data owner should be responsible for characterizing their department’s data and how it works within the fabric of the organization.
Many of these answers are not found within a technical process, but by examining the controls. Make data characterization a discussion and whiteboard how data is retained and shared.
It is not enough to just deploy a data loss prevention (DLP) solution and expect to be covered. You have to know where the information resides and the controls in place for it.
As part of this step, you will need to identify users (both internal and external) who use the data, as well as any gaps. Validate that the places where you think you are storing HR records or customer information, for example, is accurate.
By the end of the process, you should be able to say where the data is, how it is being used, and what appropriate technical controls are in place.
The data is identified. Now what?
After you have pieced together all the personally identifiable information (PII) you collect and how it is used, it is time to dig further into the GDPR requirements.
Documentation is key: Have a way to demonstrate that customers consented to collection of their information, for example.
Put protections in place so that users do not have improper access to PII. Here is where traditional IT controls—some of the easier components of GDPR—come into play. Make sure you have DLP, encryption, access controls, logging, and forensics all in place.
Data protection has always been important, but GDPR requires that you prove you have sufficient defenses in place to safely hold PII. Ensure that there is no possibility of improper access to PII and that it is not leaking out of your environment by using strategies like DLP, encryption, and user access control. Look into pseudonymizing or the tokenization of data so that it is not personally identifiable.
GDPR requires you to conduct regular assessments to confirm data protection and avoid breaches. If your system is breached and PII is put at risk, you must report the breach within 72 hours and provide details such as how the breach occurred and how many consumers it affected. Those affected must be notified as soon as possible without any unnecessary delays.
GDPR questions remain
Until the first GDPR audits happen, we are left with a wild west where we do not yet know what will be considered an acceptable standard of security for these requirements.
For example, GDPR currently requires that a customer has a “right to be forgotten,” meaning they can request that you delete their information. How to actually do that is a big challenge, and part of the reason why you have to know where all the data is in your organization. Sometimes there are conflicting requirements as well, when the right to be forgotten might bump into data retention requirements.
While we still may have a shaky understanding of GDPR, we know one thing for certain – the non-compliance penalties would be a hard hit to most organizations. The penalties are either 2-4 percent of an organization’s global revenue, or 20 million euros, whichever is highest.
So wherever you stand in your GDPR compliance, it is time to get moving.