Ensuring GDPR compliance can be a daunting task with many approaches. Let us guide you through your GDPR journey and the benefits of compliance.
An often-asked question these days is “are you ready for GDPR?”. At NNIT, we know that only a few organizations are able to answer yes. So instead, we ask “where are you on your GDPR journey?”.
The journey to compliance can seem long and complicated. Nonetheless, there are some essential steps to take that will make the journey less strenuous.
Do you know where your data is located?
Imagine that you own an airplane but you lack information about the model, type, and even the airplane’s location. How would you maintain it – or even secure it? Similarly, with data information you must know the type of data, data classification, and location or you will fail to protect it.
Consequently, for all your Personally Identifiable Information (PII) data, you need to identify data items, data formats, transfer methods, and locations. This can be achieved by conducting Privacy Impact Assessments (PIAs) to identify the potential risks and corresponding gaps in controls.
Have you formed a prioritized plan to close the gaps?
When you have located your data and identified your organization’s control gaps, you will likely face an overwhelming task.
To achieve compliance, a myriad of tasks will now require your attention and it will likely be difficult to prioritize them.
A Strategic Security Assessment can help you reinstate your overview and help you generate a road map for further actions.
Have you implemented the necessary controls?
When you have identified the gaps to compliance and formed a prioritized plan, you have then reached a point where you need to find suitable controls to close these gaps.
Controls come in different categories and covers people, processes, and technologies. Technology controls can include Encryption, Logging, Breach Response, Data Access Governance, and Identity & Access Management.
Common for all technologies are that in order to actually gain full utilization from them, you need to integrate them into the company culture and aid the people in your organization with the proper training to work with them. You must also ensure that you have a defined process around how you work within the regulation and technology.
Do you know who has access and to what, when, and why?
Identity & Access Management (IAM) is a control point that has an important relation to all of the other control points that you will implement along your GDPR journey. The sixth principle in the GDPR – “Processed in a manner that ensures appropriate security” – combined with article 32 “security of processing” demands security by design and security by default.
Consequently, the segregation of duties combined with access controls (for both administrators and employees), need-to-know principles, and data minimization are central and you will not only be looking at Identity and Access Management Technologies but also at the surrounding governance processes and procedures.
Do you know how to respond to a breach within 72 hours?
A rule of thumb in today’s digital climate is to expect security breaches. No organization is completely safe from digital threats – and by preparing for breaches, you will have strategies in place to deal swiftly and effectively with intrusions.
You should consider extending your existing disaster recovery plans with a GDPR section. Prepare communications messages in advance and have your legal team review them. For complex PII systems, describe in advance how you will identify the breached data subjects. Test your communication plan well in advance and treat your GDPR preparedness as you would any other business continuity and disaster recovery plan.
At this point of your journey, your organization has some of the essentials in place that will bring you closer to GDPR compliance – and reap the ensuing benefits. In addition to legal compliance, you will gain important data minimization. This means no excess amount of unknown data on file shares, which means fewer storage requirements and licenses as well as lower costs.
Numerous risks are mitigated with the segregation of duties and enforced access controls. You will have full information of who does what, when, and why. Lastly, the trust that you will gain from customers and employees will give you a competitive edge.
Take the steps on the GDPR Journey Map to see what your next step is.