13 Nov How to Prepare for GDPR?
Most organizations are aware that if they control or process data that relates to EU residents, they will need to be compliant with the EU’s General Data Protection Regulation (GDPR).
These regulations come into effect from May 25, 2018. For those found to be non-compliant, potential fines can be as much as four percent of global revenues or 20 million Euro, whichever is greater.
This holds true even if you don’t have offices, employees, or customers in the EU. If you control or process data that relates to a natural person who is an EU resident, you will need to be compliant.
You may be asking yourself, “How to get to be compliant?” If so, you aren’t alone!
In fact, while most organizations that are affected by GDPR realize they need to work towards compliance, not many organizations actually know what full compliance means or have a plan to move in that direction.
As GDPR is relatively new, untested, and oftentimes vaguely worded, there really is no tried and true “off the shelf” preparation program. Instead, most organizations are either trying to figure it out themselves or enlisting the help of outside consultants.
And, while I can’t tell you what method is best or most appropriate for your specific situation, I can point out some key ingredients that any GDPR preparation should have.
For starters, whatever plan or program you use to move towards GDPR compliance, it should definitely include the ability to detect, manage, and protect the data that relates to EU residents that you control or process, as well as the ability to report on the use of that data or instances where that data may have been compromised.
Put together, these four “pillars” of GDPR preparation can be remembered as Discover, Manage, Protect, and Report. Or, if you like abbreviations, you can use DMPR. Just remember, for GDPR you need DMPR.
Yeah, sure you say, but what does that actually mean?
Well, for starters you need to be able to discover what data you have, where it resides, and for what purpose you have it.
It could be emails, client records, customer feedback forms, or HR records. It could even be something seemingly innocuous as images or CCTV scans. If those images, videos, or other data relates to an EU resident, then it will fall under GDPR. So you’d better have a plan to find or “discover” it.
Once you’ve discovered the data affected by GDPR you will then need to “manage” that data. This means you need to develop policies and classifications for the different types of data and how you want to manage and protect it.
For example, if you have Personally Identifiable Information (PII), you may want to force encrypt or possibly “de-identify” that data. You may have policies that suggest encryption if a credit card number or social security number is detected, and would force encryption if multiple numbers were detected. Or, you could enact policies that control what types of data and documents can be shared with people outside of your organization.
The point is, you need to have enterprise-wide classifications or taxonomies for the different types of data, and policies that relate to how your organization will use and protect that data.
Once you have detected and managed your data, you then move on to “protection.” This is where you turn on the technology or tools that automate the enforcement of the policies you established.
For example, you can automate forced document classification, encryption, or other data loss prevention (DLP) tools. And, as GDPR also relates to security, you should determine when you force actions such as multi-factor authentication (MFA) or forced password reset, etc.
Finally, once you have the discovered, managed, and protected your data, you will need to develop the ability to “report.”
This means you will need to be able to report to any EU residents your purpose for controlling or processing the data that relates to them or, be able to rectify or remove that data upon request.
Furthermore, if you experience a data security breach, you may be required to report to the appropriate regulator within 72 hours. And, you might be required to notify all EU residents whose data may have been comprised by that breach.
The takeaway here is that you will need to have processes and tools in place that will allow you to comply with the GDPR reporting requirements.
In addition to the four pillars of DMPR, I strongly suggest that you consult with an attorney who specializes in privacy and cybersecurity issues and a specialist in the area of cybersecurity insurance for businesses.
For more information on GDPR preparation, please contact me at firstname.lastname@example.org or visit: www.adaquestsecurity.com/
Mark Shriner is Director of Business Development for adaQuest a Microsoft Cybersecurity & Compliance partner with offices in Bellevue, Washington, Tokyo, and Sao Paulo.