GDPR Compliance

A Quick and Dirty Guide to GDPR Compliance

GDPR Compliance

Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union will go into effect. Although its goal to protect consumer data is admirable, about a third of global companies don’t know whether they need to comply with the stricter guidelines.

Spoiler alert: They probably do.

Even companies outside the EU are subject to the regulation if they store or process the data of people who live in Europe. Companies that don’t do any business within the EU aren’t safe, either — just having the data of EU citizens from other channels is enough. Cloud service providers, which were previously insulated from most data privacy liabilities, will be held responsible as “data processors” under GDPR.

Complying with the new rule will not be cheap, with 68 percent of affected U.S. companies anticipating costs above $1 million. Companies that fail to comply could be subject to fines of up to 4 percent of their global revenues. That’s an extreme punishment, but it could hit any company that fails to abide by the GDPR. Companies that only pay lip service to the rules will see the steepest penalties.

data compliance

How, though, can businesses log every part of every transaction involving EU citizen data? For CSPs with legacy systems, such sweeping changes are nearly impossible — and, when possible, extremely costly.

The better plan is for companies to take this opportunity to upgrade their data security processes. Don’t think of GDPR as the framework. Instead, build a new one. Start and follow data flows; then, map out any business process that collects, uses, retains, stores, or transmits information that falls under the new rule.

The Privacy Challenge

Companies usually only need to worry about privacy when using consumer information. Under GDPR, however, anyone who processes the information is subject to scrutiny.

This new level of responsibility requires companies to stay vigilant about how they interact with consumer data. For CSPs, that means ensuring data can only go where it should, preventing sensitive information associated with one product from being transferred to another.

Logging and tracking information is the most difficult — and most important — aspect of the new rule. EU citizens will soon have the “right to be forgotten,” which allows them to tell search engines and CSPs to erase them from the web.

To respond to requests like the one above, companies must log and tag all their information meticulously. That way, not only can they delete it, but they can also be sure that the information is truly gone. Without these “privacy by design” policies in place, companies will struggle to tell citizens (and regulators) that they’re fully confident the data has been erased.

The Quick and Dirty Guide to GDPR Compliance

Clearly, companies around the world face a steep climb to GDPR compliance. But by following these straightforward strategies, companies can prepare themselves to be as compliant as possible, safeguard EU data, and avoid losing chunks of their revenue in the bargain.

1. Map out Data Flows

By plotting out the process by which they consume, store, and use consumer data, companies can understand to what degree GDPR affects them. Only then can they start to safeguard it according to GDPR standards.

The first question is easy: “Do we have EU data?” If the answer is “no,” then the next question becomes “Are we sure we are not collecting EU data and will not in the future?”

Check whether any clients have customers in the EU and ask whether they collect data. If they answer “yes” to either, ask what their GDPR classification will be. Classifications include processors and controllers, each with its own privacy obligations under the new rule.

With those questions answered, designate someone within the organization to map and maintain data flows. Many businesses have a great deal of documentation on processes, but they fail to overlay that information with the types of data they collect, use, and store. Use this data flow mapping tool to get started.

2. Reduce the Scope

The easiest way to comply with new data rules is to not possess data affected by them. After mapping business processes, identify which ones are critical to your company and which ones are not. Then, dispose of and stop collecting non-critical information, starting with the processes that make GDPR compliance more complex.

Although the EU doesn’t use Social Security numbers, it provides a good example for stateside companies. Scan the network for areas where Social Security numbers are stored; then, work outward to identify other collected information, such as dates of birth, addresses, and more.

Define what data is considered protected by the EU, and then use data discovery or loss protection and prevention tools to scan the environment for various rule sets on protected data.

3. Perform a Gap Analysis

After defining and reducing the scope, the next step is to identify areas of higher risk. Where does the company collect and store large quantities of data, how is that information stored, and what are the risks of breach or improper use of information? Work down from the area of highest risk to tackle pressing issues first. Then, do a full sweep of data collection areas within the company.

This process is sometimes referred to as a privacy impact assessment (PIA) or GDPR’s required data protection assessment (DPIA). Rather than do a PIA or DPIA once and forget the results, establish a cadence to complete sweeps of all data collection areas. Hit different processes as time passes; then, swing back around and do it again to prevent oversights.

4.Designate a Privacy Officer

Compliance isn’t a one-time event. Create a committee to assess compliance on a monthly or quarterly basis. By starting with a group, the person who should be in charge will emerge naturally over time.

GDPR encourages companies to retain a privacy officer within the company. If the committee leader can’t formally assume those duties, the officer could be a new hire, a pivot from an existing role, or simply the CIO. After setting up that role, empower that person to own the road map of compliance and correct mistakes when discovered.

GDPR sets a new standard for data stewardship across the world. It will take time before the full effects of the regulation become clear, but for CSPs and other companies involved in data, compliance must come first. Follow this guide to safeguard data, create better internal processes, and avoid costly penalties.

By Brad Thies

Brad Thies

Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

View Website

CONTRIBUTORS

5 Things To Consider About Your Next Enterprise Sharing Solution

5 Things To Consider About Your Next Enterprise Sharing Solution

Enterprise File Sharing Solution Businesses have varying file sharing needs. Large, multi-regional businesses need to synchronize folders across a large ...
Data Science And Machine Learning Jobs Most In-Demand on LinkedIn

Data Science And Machine Learning Jobs Most In-Demand on LinkedIn

Data Science And Machine Learning Jobs Machine Learning Engineers, Data Scientists, and Big Data Engineers rank among the top emerging jobs ...
Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies ...
The Cloudification of Healthcare: Benefits and Risks

The Cloudification of Healthcare: Benefits and Risks

Cloud Healthcare: Benefits and Risks Many organizations are moving most of their business-critical applications and workloads to the cloud. The ...
How IoT and OT collaborate to usher in the data-driven factory of the future

How IoT and OT collaborate to usher in the data-driven factory of the future

The Data-driven Factory The next BriefingsDirect Internet of Things (IoT) technology trends interview explores how innovation is impacting modern factories and supply chains ...
The Connected Car: The Unknown Hero of Automotive Innovation

The Connected Car: The Unknown Hero of Automotive Innovation

Connected Car Innovation Spanning the last decade, the automotive industry has seen an explosion of technological innovation which has, and ...
Digital Innovation Starts with a Digital Core

Digital Innovation Starts with a Digital Core

Digital Innovation A lot of times when the prevalent industry trends are discussed among industry folks, there are usually two ...
5 Simple Tips to Help Avoid Ransomware

5 Simple Tips to Help Avoid Ransomware

5 Tips to Avoid Ransomware Ransomware is a particularly pernicious form of malware: unsatiated by simply using your system as ...
Istio 1.0: Making It Easier To Develop and Deploy Microservices

Istio 1.0: Making It Easier To Develop and Deploy Microservices

With the recent availability of Istio 1.0 it is not surprising that it continues to capture much attention from the ...
10 Charts That Will Change Your Perspective Of Amazon Prime’s Growth

10 Charts That Will Change Your Perspective Of Amazon Prime’s Growth

10 Charts That Will Change Your Perspective 70% of Americans with incomes of $150,000 or more who shop online have ...