I have been fortunate to be invited to speak about the EU GDPR at a variety of security conferences and events recently including, ISSA in the USA, CeBIT in Germany, C-Cure/DEXCEO in Denmark, Telegraph Business Reporter in London, and most recently, Security Days in Tokyo. It became apparent that GDPR awareness is certainly increasing in all of these countries. In Tokyo however, there is a strong focus on Payment Card Industry Data Security Standard (PCI DSS) and its importance with the 2020 Olympics being held in Japan.
While they are separate frameworks, it is not a big leap to talk about the data which needs to be kept secure for the PCI DSS, as a subset of that required for GDPR. Furthermore, many of the underlying requirements which are needed for GDPR compliance are the same as those for PCI DSS.
One major difference is, while businesses can out-source the process of credit card payments to reduce the impact of PCI compliance, when it comes to the GDPR, most organizations will be directly impacted by and accountable for the personal data they hold on EU Citizens; regardless of which region the organization itself is located.
‘Right to be forgotten’ will be the biggest challenge
GDPR has a number of requirements which, for most, are completely new. The most challenging part of compliance will be withdrawing consent, also known as the ‘right to be forgotten’, something we’ve seen take considerable steps forward in the wider context of the Internet. For businesses, this means being able to discover where data is stored and potentially delete all references to the EU citizen making the request. While this is relatively simple for information in databases, it is the unstructured data on laptops, file servers or held in the cloud which will create a significant issue for organizations. Following these steps will help you to focus on priorities and accelerate compliance.
5 Key Steps for your GDPR compliance project
As with most organizations, once the need to comply with the GDPR is understood, the next question is where to begin. In all my presentations I put forward a practical approach to GDPR compliance which works for organizations of all verticals and sizes, and no matter what country they operate in:-
1) Understand the basics of the General Data Protection Regulation
Download and read the regulation, understand how it fits into other regional regulations a business might need to comply with, then how that maps to internal standards including risk management, IT systems and policies.
2) Learn how GDPR relevant data flows inside and outside of your organization
Undertake a Data Flow exercise with the various departments of your organization that process and share critical data. Utilize technology to 'monitor' use and help you gain visibility of how critical data flows in and out of your organization.
3) Discover where GDPR relevant data is stored/located within your organization
Carry out a data-at-rest scan across your organization. The scan will provide you with a list of files which contain GDPR relevant data and where that data is located (eg. endpoint devices, servers etc.). This will be essential for a ‘right to be forgotten’ request under the new legislation, but it can also be used to better understand compliance complexity.
4) Create a GDPR Compliance Action Plan and Timeline
The results of your mapping, monitoring and scanning exercises will highlight gaps in your data processing processes and security technology. Use your findings to document a plan of action and a strict timeline to make the changes and improvements required so your organization will effectively comply with the GDPR by the time it is enforced (May 2018).
5) Deploy technology that will support your project AND GDPR compliance
Technology will play a part in your GDPR compliance project, help you to comply with the regulation, and maintain ongoing compliance. Choose technology that automates manual data protection processes, enforces security policies, provides you visibility of data flowing in and out of your organization, and increases the security and protection of critical data. Learn more about Driving GDPR Compliance: Discover, Secure & Govern.
The GDPR compliance journey is an opportunity!
The road to GDPR compliance requires a mix of analysis and research on people, processes and technology within your organization. This presents an opportunity to obtain a granular understanding of how your business operates and evolve the way you collaborate and do business.
The end result of a well-executed GDPR compliance project will not only reduce data breach risks and help you comply with the GDPR, it will increase the trust of your customers and prospects, and ultimately grow your business.
Contact a Clearswift specialist for a discussion and understand how we can help you gain a fast start to GDPR compliance.
- GDPR Compliance – burden or opportunity? (Telegraph Business Reporter Video Interview)
- Driving GDPR Compliance: Discover, Secure & Govern (datasheet)
- Preparing for GDPR: Regulation Overview & Technology Strategy (whitepaper)