One month and 20 days. You have one month and 20 days before the European Union’s General Data Protection Regulation (GDPR) comes into effect. You have just 50 days (including weekends) to implement people, process, and technical controls that ensure the protection and privacy of data entrusted to your organisation by EU residents. 50 days isn’t a lot of time.
Where to start? How do you begin to identify all the data you collect, the digital assets that collect it, and the applications that process them? Is it too late to develop data flow maps that highlight the third parties (and their third parties) that personal data is being sent to? What technical controls that “ensure… security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data” will the regulators find “appropriate”? Making the necessary changes to how your organisation collects, processes, shares, and stores personal data may seem like a daunting task.
But there is time. Despite the requirement for compliance with the GDPR by the 25th of May, there is a lot you can do now, and after the May 25th date, to demonstrate that you take the privacy of EU residents seriously. Compliance is an ongoing effort, but you can today, “implement technical and organisational measures” to manage threats that may impact the rights of individuals.
Here are three key things you can do now to prepare for the EU GDPR:
1. Protect Your Company
GDPR mandates that companies implement organisational and technical controls, appropriate to the likelihood of potential risks impacting the confidentiality, integrity, and availability of personal data. You must ensure that your risk management program identifies the likelihood of potential cyber threats impacting the privacy of personal data you hold and process.
According to the Verizon data breach report, over 70% of data breaches occur due to external cybercriminals. An estimated 91% of all cyber-attacks start with an email; that’s why securing the email channel is critical. Email is also a critical risk vector for outbound data loss. Preventing personal data from being exposed (either maliciously or accidentally) in email messages must be a top priority to lower the risk of a data breach.
2. Train Your Users and Third Parties
But you can’t do this with technical controls alone. You have to ensure that your internal users and the third parties we work with are handling and protecting data as detailed in your policies and contracts respectively. It’s not enough to create privacy policies. Your end users need to understand that they are accountable for meeting data protection requirements and this can only happen by communicating data privacy policies to your employees. You must implement training programs that begin to change behaviour. Your training should detail how employees can make the right decisions about the data they collect and handle that have been identified and classified as ‘personal’. In addition, you must explain the potential consequences for non-compliance.
3. Document Gaps
You must also begin to document the gaps you have identified in your data mapping exercises and risk assessments along with the changes you are making, and plan to make, to drive towards compliance. As this is an ongoing journey, there is no end. The partners you work with, the types of personal data you collect, the applications and employees that access and process personal data will evolve. That’s why keeping extensive internal records of your data processing and protection activities is vital. You will need to develop a process to log, store, and analyse all processes that touch personal data as it is your responsibility to demonstrate compliance with the regulation.
So with 50 days to go, if your organisation collects and/or processes data on any individual residing in the EU (and the UK), the time is now to start taking action. Learn more about the additional steps your organisation will need to take to prepare for the GDPR by downloading the ‘Procrastinator's Guide to Preparing for the GDPR’ analyst report.