GDPR, only one year to GO!
In exactly one year from now, organizations must comply with the GDPR legislation. Some are already preparing; others are still waiting for inspiration to come (from others). At SecureLink, we finished our first GDPR readiness assessments at customers. These have given us many insights I want to share with you through 6 practical tips.
GDPR: 6 things we’ve learned from practice:
- GDPR is a board-level concern. That is why we advise you to set up a governance group under the leadership of the CISO and/or Data Protection Officer. Assess the GDPR-readiness of your organization and develop an action plan that covers the legal, process and technical levels.
The governance group usually consists of stakeholders such as legal, HR, marketing, finance, IT, operations; basically, any department processing personal data. A data protection officer or a CISO is hard to find and they only have a limited amount of time. We have seen customers who hire a project manager or program manager to streamline communications, organize internal meetings and follow up action points with the stakeholders.
- Consider your data, map which data you need and which data you collect. Which data do you process? Do you need to collect or retain the data?
The answer to these questions typically comes from the Data Protection Officer with the help of the business stakeholders. The final goal is to create the mandatory Data Register (GDPR, art 30). How to get started? There are Data Register templates available on the internet. When you download one, ask each stakeholder to fill it out.
- Identify the flow of personal data in your organization and map how it is processed, secured, stored and deleted.
In order to do so, each stakeholder should work with the IT department to map the applications and databases in a high-level diagram. These diagrams can be enriched by the IT Security Department with the security controls deployed on the network, hosts, applications and data systems.
- Assess your current security level and your ability to protect personal data against unauthorized processing and data loss.
Our customers are assessing their organization to get an overview of their current security levels, at high-level. SecureLink is helping these customers through the Security Maturity Assessment. Some organizations request more technical assessments to know the current state of a specific security control or process.
- Use the ‘Privacy-by-Design’ approach to enhance your security level to protect personal data and to make it compliant by default.
One of the ‘privacy-by-design’ approach principles is the end-to-end security model including these four steps: prepare, protect, detect, response.
The four practical tips mentioned above, are considered as part of the prepare-step. When it comes to the three other steps, it seems that companies are mostly focusing on protect. I must admit, it is harder to implement detection and response because it is a learning process that requires resources. Therefore, many companies consider these two steps on a periodical basis in the beginning and, later on, it will become a more continuous process.
- Implement a breach notification process through continuous security monitoring to make sure you have the right tools to comply with the 72-hours notification deadline.
The breach notification process starts with the response step of the end-to-end security model. When the governance group is creating the data register, they also have to consider who needs to be informed and which actions should be taken in case of data loss.
Hopefully, these practical tips are useful to your organization and contribute to your journey towards GDPR readiness. SecureLink is a trusted advisor on data security and breach notification and can guide you through this process. Feel free to ask for more information.