It's About Time
Some data security pundits are saying, “It’s about time.” Sure, becoming fully compliant with the European Union’s General Data Protection Regulation (EU GDPR) is going to be a big, expensive burden for many organizations. However, upon review of the GDPR, it's clear that many of its directives are so basic, so common sense, so critical, that every organization should have already been working towards them anyhow.
The fact that, as of next year, non-compliance with the GDPR could result in serious financial fines—or even prison sentences—is just the kick in the pants that organizations need to start implementing data protection measures that should have been a higher priority long before now.
Sure, there are GDPR demands that are less than desirable for many organizations, but they are mandated anyway. These include regulations in the area of giving more control to individuals over their private data. For example, data use policy declarations, consent for the collection and use of personal data, visibility into an individual’s data, the “right to be forgotten”, and the right to block personal data profiling.
For both categories of regulations, organizations will have to adopt many new approaches to how they collect, store, access, process, monitor, analyse, expose, document and delete the personal data they hold. In fact, organizations will discover that GDPR compliance will actually become a new way of life.
The Three Pillars
GDPR will become embedded into the culture of organizations because of the far-reaching impact that compliance will have. To cover all the bases, there will really be no choice but to establish or revamp efforts across three separate areas:
- Processes: Numerous new processes will be required, covering a wide range of areas. Examples include processes for collecting personal data, identifying sensitive data within databases, risk management assessments, monitoring data access, handling requests from individuals (data access, right to be forgotten, etc.), communicating with and responding to security incidents.
- People: It goes without saying that people are at the center of implementing processes. Furthermore, extensive employee education will be required to comply with GDPR.
- Technology: While the GDPR is much too broad to lend itself to compliance by just deploying some hardware and software, there are many technological solutions that will be critical to enabling the various processes, protection and people aspects described above.
There are thousands of details involved in addressing GDPR requirements, but the journey towards compliance will benefit the organization in numerous, very valuable ways that reach far beyond satisfying the regulation itself.
Helpful Tips to Get Started
To get started, here are a few key areas to focus on while you start strategizing and defining your compliance action plan:
- The processes, people and technology measures you deploy will need to address how personal data is stored or processed by your organization, so the first step is to identify everywhere that personal data is collected, stored and used.
- Some of the key security, privacy, IT and administrative policies required by the GDPR will need to be established, assessed, and re-assessed: pseudonymisation, encryption, documentation, and taking measures to ensure the integrity, confidentiality, availability, resilience, assessment and post-incident-recovery of processing systems and services.
- It is essential to investigate available technology solutions that can provide quick wins in multiple areas of the regulation, for the purpose of saving you time, resources and cost. Some features to look out for are: automated pre-assigned alerts, clear visibility, easy reporting, and rapid, reliable investigation capabilities.
- The GDPR requires organizations to deploy mandated measures to inform, protect and serve the individuals whose personal data they hold, including notifications at the time of data collection, receiving consent and processing requests “to be forgotten.”
- Further procedures, related to potential data breaches, need to be implemented, including the ability to detect and report breaches to the relevant supervisory authority as well as notifications to affected individuals.
- It’s critical to begin educating employees early regarding the GDPR at a high level and how it will impact their roles down the road. Your internal users–including IT privileged users, business users and third-party contractors–can serve as the greatest guardians of the GDPR cause, but also pose your greatest threat if security awareness about personal data is not embedded in your organization’s culture from the start.
In order to get started with your GDPR action plan, it’s important to focus on the key overarching GDPR requirements one at a time! To learn how Proofpoint's Insider Threat Management tool can help you meet multiple GDPR requirements as well as establish an internal culture of GDPR-awareness in your organization, read this informative whitepaper.
For your convenience, here's a link to the official EU GDPR Regulation with useful chapter headings. Or, download the full EU GDPR Regulation as a PDF.
Want to see how ITM can help you prepare for GDPR?