Americas

  • United States
sandra_henrystocker
Unix Dweeb

Eight steps to the GDPR countdown

Feature
May 25, 20174 mins
Data CenterRegulationSecurity

11 regulations
Credit: Thinkstock

One year from today, the recently passed regulation known as “GDPR” (General Data Protection Regulation) goes into effect. While EU-specific, it can still dramatically affect how businesses that work with personal data of citizens and residents of the EU. GDPR was approved a year ago and will be going into effect in another year. It applies directly to organizations within the EU, but also applies to organizations outside the EU if they 1) offer goods and services to the EU, 2) monitor the behavior EU subjects, or 3) process or retain personal data of EU citizens and residents. And the regulation can place very serious fines and sanctions for non-compliance.

Step 1: Partners

Select partners – legal, technical, and strategic – that might be qualified to assist with GDPR compliance. They should be familiar with the effects that the regulation will have on your particular industry. Your organization’s size and location might also factor into your decision.

Step 2: Readiness assessment

Do an early assessment of how you are likely to be affected. Determine if you have EU customers or handle data from partners and customers that do. Find out if your business has any plans to do business in the EU or might be hiring EU citizens sometime in the future.

Step 3: Get ready to tackle GDPR as a business initiative

Don’t be lulled into thinking of the move to GDPR compliance as a technology-only project. Consider its impact on all business units – legal, financial, personnel, etc. Technology can certainly help to bring about your transition to GDPR compliance, but it’s not a magic pill.

Step 4: Identify and map your data

Consider all the data that your business collects, processes and stores. Get a clear view of how it is stored and backed up, and how it moves through your organization. Also, consider who has access.

Step 5: Create a plan that exceeds regulatory minimums

While you’re preparing for GDPR, take a broader look at all the data your organization processes. Pay particular attention to personal data and corporate intellectual property. Create and implement training programs to keep staff attuned to both risks and processes for proper handling of sensitive data. If you don’t already have an incident response plan, create one. If you do, make sure that it’s being followed and that records are kept so that your incident response performance can be reviewed.

Step 6: Document your audits

Be careful to document the steps that you take to audit your procedures and ensure that your control procedures are being followed. Proper records and evidence of your efforts to be vigilant in protecting sensitive information could be very valuable and help you to avoid fines if a security incident is identified.

Step 7: Protect data at rest and in motion

Don’t lose sight of the fact that data moving across your network might be most vulnerable. Use encrypted connections whenever possible. Control and monitor who has access to shared drives. Remember, too, that jurisdiction and rules change as data moves across borders.

Step 8: Implement process automation

Use automation to avoid human error as much as possible. Heavily test your processes before relying on them. Think of GDPR compliance as one more reason to address operational inefficiencies across the board.

One year from now …

On this day next year, you could be confident that your processes and data protection measures are going to make May 25th a good day, but you need to start focusing on how you’re going to get to that comfort zone. The one year countdown starts today.

References

  • What Wikipedia has to say
  • GDPR FAQ

Credits

Thanks to Globalscape for working with to provide these tips for companies embarking on a GDPR compliance initiative.

sandra_henrystocker
Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author