In April 2016, the European Union adopted the General Data Protection Regulation, a law designed to strengthen individual citizens' rights to data privacy, and to simplify the regulation of data export outside the EU. Since then, companies have been digging into the regulations to fully understand what they will need to do to comply with these new rules. However, progress has been slow and there is a lot of confusion about whether a company is required to comply with these regulations or not.
As of May 25, 2018, these rules will be enforced, and the penalties are very heavy with companies who violate them: fines can go up to 4 percent of a company’s global income. That can get pricey -- so the better solution is to prepare and come into compliance with these regulations sooner rather than later.
ITPro Today queried several experts familiar with the regulations, all to bring you an informal GDPR checklist to assist organizations and businesses that will be collecting and handling data from citizens of the EU. These should help as you evaluate and plan your own policies and actions to comply with the GDPR. The recommended to-dos follow.
Identify the Big-Picture To-Dos
As Corey Nachreiner, CTO of WatchGuard Technologies, said, “Companies should realize that GDPR goes far beyond just the technical defenses. It also involves doing a data risk assessment, putting your defenses in the right place, transparently informing your customers what data you store, ensuring your customers can remove their data whenever they want, backing up that data, and informing them if their data is lost, within 72hrs of discovering it.”
Put Someone In Charge of Data Compliance
Laurence Pitt, who is the Global Security Strategy Director for Juniper Networks, recommended, “Put someone in charge of data compliance. Under GDPR, this person is known as the Data Protection Officer (DPO), and is responsible for ensuring the company is managing and securing data to comply with GDPR, as well as maintaining ongoing compliance. Without a DPO, internal battles might prevent effective decision-making and your company will risk failing to comply.”
Figure Out How You’ll Audit And Encrypt Your Data
With companies collecting and storing massive amounts of data, running a full data audit will help capture an accurate picture of all data processed by a company. Furthermore, as data changes value over its lifecycle, an audit will be beneficial beyond just knowing ‘what’ to encrypt under GDPR. Consider in-motion data and network data protection methods as well by using the latest encryption and CASB tools
Understand Who is Accessing Data And How They’re Accessing It
With demands for 24/7 network access, it is very important to put controls in place to reduce risks presented by unauthorized access. Make sure that employee access methods are strong by utilizing password best-practices and multi-factor authentication. Looking at “what” connections are accessing data is also an important aspect of GDPR preparedness. Today, many organizations have third-party connections in place with partners and/or other applications. These will need to be continuously monitored for ongoing GDPR compliance.
Establish an Incident Response Process
An effective incident response process will put companies in a stronger position, should a breach occur, to understand what happened, the impact and how to mitigate within the mandates 72-hour reporting timeframe. After the breach is reported, impacted customers may need to be contacted, but if a company is able to limit damage by implementing their incident response process, risks of reputational or financial damage to the brand will be reduced.
Find All Your Old Assets And Make Sure They’re Updated
As Sam Curcuruto, the technology evangelist at RiskIQ says, most companies aren’t often aware of the digital assets they may have outside their corporate network. As a result, an old, forgotten website with an expired SSL certificate that collects personal information might actually spark a GDPR compliance violation.
Curcuruto said, “While most development and security teams are following the guidelines for new pages and sites, old sites, forgotten sites, or sites which have been inherited as a result of a merger or acquisition need to be retrofitted and updated. But without an automated discovery solution, it's difficult, if not impossible, to ensure that you've found all of the assets that belong to an organization on the internet, let alone pinpoint the ones which collect PII.”
Find All Your Mobile Assets And Make Sure They’re Updated
The rise of mobile devices and apps as baseline technological components in an enterprise means that any IT professionals can’t assume that GDPR compliance begins and ends with managed PCs accessing corporate data.
Lookout Security’s chief strategy officer Aaron Cockerill said, “If organizations aren’t thinking about mobile as part of their GDPR compliance strategy, they are forgetting a critical component that could leave them exposed to costly fines. “
Make Privacy Awareness Mandatory
Sanjay Beri, CEO Netskope, said, “By requiring every employee to participate in cybersecurity awareness training and conducting training on an ongoing basis, organizations can foster a culture of security awareness.”
After all, while security teams can identify noncompliance risks, they are tasked with reducing those risks. Making sure that employees can correctly identify and mitigate those risks can help a company comply with GDPR.
And Now, Here’s Where to Find Further Resources
They have also established tools and services to help you verify that your current configuration is in compliance with the upcoming GDPR, more information is available in the linked pages to each company in the above paragraph, plus if you are already a customer then you should reach out to your account manager to begin a dialog about getting yourself completely prepared for the transition to GDPR.
There are less than 90 days remaining to insure you are compliant and ready to move forward as you continue doing business with customers in the EU.