5 Key Building Blocks to EU GDPR Compliance Preparing for the EU GDPR will take diligence and ongoing commitment. Rolling out the required processes for compliance will take months, possibly…

5 Key Building Blocks to EU GDPR Compliance

Zack Gross

With a passion for all things tech and creative, I spend my time helping people discover how cloud cybersecurity protects and enables businesses all at once.


Preparing for the EU GDPR will take diligence and ongoing commitment. Rolling out the required processes for compliance will take months, possibly (2!) years. Organizations must start today.

Screen Shot 2016-06-01 at 1.57.42 PM

To help lay the groundwork for a successful, EU GDPR-compliant company, five core areas should be considered and addressed:

Screen Shot 2016-06-01 at 2.01.01 PMInternal governance

The first step to EU GDPR compliance is looking inward. Organizations must examine their current processes and dissect their existing data landscape to gain a coherent understanding and comprehensive view of where data is sitting. And, rather than assessing this through questionnaires or surveys that rely on people’s memories, implementing automated processes is the best way to surface reliable and critical information to ensure ongoing compliance.

For example, is your procurement data sitting on a server in the back room, or in a cloud-based solution? Which of your systems store contact information, financial data, or health records for your prospects and customers? Which software solutions communicate with the systems in which your data is stored? How deeply connected are they? Who is accountable for the security of your data?

Whether legally required to by the EU GDPR or not, it’s recommended that organizations appoint a Data Protection Officer who is responsible for managing data and reporting out on it. Regular trainings and reviews should also be implemented in order to improve data storage and management practices.

Screen Shot 2016-06-01 at 2.01.07 PMCustomer Controls

The second step involves examining how data is used and shared outside of the organization.  Begin by implementing controls to minimize the amount of data processed to ensure information is only shared when necessary, and with necessary parties. Then, regulate how data is processed and with whom. Consider which data absolutely needs to be processed, when, and how.

Pay special attention to data transferred from the EU to outside countries. Ensure this only occurs when a legal basis can be established – either by verifying the receiving party operates in an approved country, or accepts data under approved model clauses.

Screen Shot 2016-06-01 at 2.01.15 PMTransparency

Beyond just regulating your organization’s internal and external data practices, the new citizen rights provided by the EU GDPR require a new level of transparency.

EU citizens must explicitly opt in each time their data is acquired and organizations must clearly articulate the purpose and duration of use. Explicit consent must be reconfirmed any time the intended use of the data changes. Additionally, organizations must be able to tell customers where their data resides, be upfront about which third parties will access it and why, and delete or change the data upon request.

Screen Shot 2016-06-01 at 2.01.22 PMIncident Management

Part of being transparent under the new law means following the proper notification process in the event of a breach. When data is lost, organizations must have processes in place to ensure swift identification of the leak, crisis control, and timely issuance of notifications to the affected parties and appointed regulators.

Screen Shot 2016-06-01 at 2.01.27 PMAudits

Becoming GDPR compliant is not a one-time fix. In order to ensure ongoing compliance, security teams need to build in the ability to routinely check and assess the status of data across the organization. Understanding where different types of data reside, who has permission to access and share, and where and how data enters and exits the organization is a must.

In order to lay the proper foundations, organizations need to start implementing processes to track user access and permissions, and keep an audit log of all actions performed. These records may be used as evidence for regulatory compliance down the line.

EU GDPR Implications in the Cloud: Explained Simply

In this recorded webinar, learn more about the ins and outs of the new regulation. Plus, find out how a CASB can help with the implementation of customer controls, incident management, and ongoing audits.


Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser