Enabling GDPR compliance
The European Parliament published the GDPR (General Data Protection Regulation), which will take effect on May 25th, 2018. Many companies are not even aware of this regulation, and furthermore let alone to comply with the regulation.
Violation of the GDPR principles and regulations will result in hefty fines. The organizational burden will require a complete revision of all administrative procedures. GDPR authorizes regulators to levy fines in amounts exceeding 20 million euros or four percent of annual global turnover, whichever is greater.
Alright, this is scary. So, what should we do to meet the GDPR requirements?
It is likely you will need a compliance plan or program to manage these changes, but don’t just focus on the narrow requirements of the Regulation. Use this as an opportunity to improve overall understanding about security and information handling. Appointing a data protection officer (DPO) is only an explicit legal requirement in few cases. However, it will be an advantage to appoint a DPO with the expertise to assess the company's status and make this person/team responsible for the process of GDPR compliance.
Many of the actions requires information security skills. If you don’t have the technical or legal skills, it is advisable to buy these from IT security contractors and law firms.
To wrap up, every organization needs four elements in place:
- Procedures and policies of operating guidance
- Supervision to implement these internal rules
- Monitoring, to ensure the audit tools and controls operate throughout the data life-cycle
- Governance, to maintain adherence and effectiveness, to ensure all gaps are closed.
The plan, tell me about the plan…
The GDPR is a very large regulatory framework. In order to make it operational, we highly recommend that the companies isolate the relevant requirements, translate the requirements into controls, combine them with the information security controls and take action.
Traditionally, systems have been used to process the business data. Due to business growth, the volume of data might have increased multiple folds and external interface connections to third party vendors and trusted business partners may have been increased to support business growth.
It is important that the organization have an accurate end to end data flow diagrams to track the data movement. If data tracking or data flow diagrams about all the interface connections and data movement are not available, the organization need to perform reverse engineering processes using available tools or consultants to develop end to end business process documents and data flow diagrams.
Once the discovery phase has been completed, the enterprise must perform Risk Assessment to identify critical applications where the personal information is being processed and rank those applications based on the degree of risk level. As an outcome, define the controls to mitigate the gaps that are identified during data privacy assessment.
After performed assessment, develop a gap analysis and define a plan to address all issues, considering possible risks involved, amount of effort and available resources. Based on gap assessment various projects are prioritized upon timeline.
Implementation plan should be done for each department of the organization. You need to provide extra support for projects involving many departments or organizational units located in different locations/countries. To ensure you have covered all of the risks and all Personal Information areas, you need to ensure that you are able to cover the entire life-cycle, from data collection, processing, storage upon to deletion.
GDPR implementation team should be formally established, where all roles and responsibilities are clearly explained. Data Protection Officer (DPO) might be an employee or a third party service provider providing significant independence for performing compliance monitoring. In both cases it is advisable to set up a team to address complexity and technicality. DPO shall be regarded as conductor leveraging resources and prioritize phasing out on compliance gaps. DPO is providing recommendations and solutions during implementation and ongoing compliance. Project roll-out will be defined on a risk-based approach.
Cybercom as a Solution provider understands the complexity of this subject, and therefore created a GDPR Implementation Guide which can place the compliance framework in place, and GDPR Portal for effective control, monitoring and governance of GDPR adherence and compliance. From Service delivery perspective, we can successfully wrap up all aspects of the implementation: business, legal and technical.
By starting now, and taking the time to step through the Guide, your organization will have successfully secure GDPR compliance and effectively protect the company’s reputation and image, increase customer retention and loyalty by enabling Trust, and tremendously decrease the number of data breaches and security incidents.