Preparing for the EU GDPR will take diligence and ongoing commitment. Rolling out the required processes for compliance will take months, possibly (2!) years. Organizations must start today.
To help lay the groundwork for a successful, EU GDPR-compliant company, five core areas should be considered and addressed:
The first step to EU GDPR compliance is looking inward. Organizations must examine their current processes and dissect their existing data landscape to gain a coherent understanding and comprehensive view of where data is sitting. And, rather than assessing this through questionnaires or surveys that rely on people’s memories, implementing automated processes is the best way to surface reliable and critical information to ensure ongoing compliance.
For example, is your procurement data sitting on a server in the back room, or in a cloud-based solution? Which of your systems store contact information, financial data, or health records for your prospects and customers? Which software solutions communicate with the systems in which your data is stored? How deeply connected are they? Who is accountable for the security of your data?
Whether legally required to by the EU GDPR or not, it’s recommended that organizations appoint a Data Protection Officer who is responsible for managing data and reporting out on it. Regular trainings and reviews should also be implemented in order to improve data storage and management practices.
The second step involves examining how data is used and shared outside of the organization. Begin by implementing controls to minimize the amount of data processed to ensure information is only shared when necessary, and with necessary parties. Then, regulate how data is processed and with whom. Consider which data absolutely needs to be processed, when, and how.
Pay special attention to data transferred from the EU to outside countries. Ensure this only occurs when a legal basis can be established – either by verifying the receiving party operates in an approved country, or accepts data under approved model clauses.
Beyond just regulating your organization’s internal and external data practices, the new citizen rights provided by the EU GDPR require a new level of transparency.
EU citizens must explicitly opt in each time their data is acquired and organizations must clearly articulate the purpose and duration of use. Explicit consent must be reconfirmed any time the intended use of the data changes. Additionally, organizations must be able to tell customers where their data resides, be upfront about which third parties will access it and why, and delete or change the data upon request.
Part of being transparent under the new law means following the proper notification process in the event of a breach. When data is lost, organizations must have processes in place to ensure swift identification of the leak, crisis control, and timely issuance of notifications to the affected parties and appointed regulators.
Becoming GDPR compliant is not a one-time fix. In order to ensure ongoing compliance, security teams need to build in the ability to routinely check and assess the status of data across the organization. Understanding where different types of data reside, who has permission to access and share, and where and how data enters and exits the organization is a must.
In order to lay the proper foundations, organizations need to start implementing processes to track user access and permissions, and keep an audit log of all actions performed. These records may be used as evidence for regulatory compliance down the line.
EU GDPR Implications in the Cloud: Explained Simply
In this recorded webinar, learn more about the ins and outs of the new regulation. Plus, find out how a CASB can help with the implementation of customer controls, incident management, and ongoing audits.