GDPR Compliance

A Quick and Dirty Guide to GDPR Compliance

GDPR Compliance

Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union will go into effect. Although its goal to protect consumer data is admirable, about a third of global companies don’t know whether they need to comply with the stricter guidelines.

Spoiler alert: They probably do.

Even companies outside the EU are subject to the regulation if they store or process the data of people who live in Europe. Companies that don’t do any business within the EU aren’t safe, either — just having the data of EU citizens from other channels is enough. Cloud service providers, which were previously insulated from most data privacy liabilities, will be held responsible as “data processors” under GDPR.

Complying with the new rule will not be cheap, with 68 percent of affected U.S. companies anticipating costs above $1 million. Companies that fail to comply could be subject to fines of up to 4 percent of their global revenues. That’s an extreme punishment, but it could hit any company that fails to abide by the GDPR. Companies that only pay lip service to the rules will see the steepest penalties.

data compliance

How, though, can businesses log every part of every transaction involving EU citizen data? For CSPs with legacy systems, such sweeping changes are nearly impossible — and, when possible, extremely costly.

The better plan is for companies to take this opportunity to upgrade their data security processes. Don’t think of GDPR as the framework. Instead, build a new one. Start and follow data flows; then, map out any business process that collects, uses, retains, stores, or transmits information that falls under the new rule.

The Privacy Challenge

Companies usually only need to worry about privacy when using consumer information. Under GDPR, however, anyone who processes the information is subject to scrutiny.

This new level of responsibility requires companies to stay vigilant about how they interact with consumer data. For CSPs, that means ensuring data can only go where it should, preventing sensitive information associated with one product from being transferred to another.

Logging and tracking information is the most difficult — and most important — aspect of the new rule. EU citizens will soon have the “right to be forgotten,” which allows them to tell search engines and CSPs to erase them from the web.

To respond to requests like the one above, companies must log and tag all their information meticulously. That way, not only can they delete it, but they can also be sure that the information is truly gone. Without these “privacy by design” policies in place, companies will struggle to tell citizens (and regulators) that they're fully confident the data has been erased.

The Quick and Dirty Guide to GDPR Compliance

Clearly, companies around the world face a steep climb to GDPR compliance. But by following these straightforward strategies, companies can prepare themselves to be as compliant as possible, safeguard EU data, and avoid losing chunks of their revenue in the bargain.

1. Map out Data Flows

By plotting out the process by which they consume, store, and use consumer data, companies can understand to what degree GDPR affects them. Only then can they start to safeguard it according to GDPR standards.

The first question is easy: “Do we have EU data?” If the answer is “no,” then the next question becomes “Are we sure we are not collecting EU data and will not in the future?”

Check whether any clients have customers in the EU and ask whether they collect data. If they answer “yes” to either, ask what their GDPR classification will be. Classifications include processors and controllers, each with its own privacy obligations under the new rule.

With those questions answered, designate someone within the organization to map and maintain data flows. Many businesses have a great deal of documentation on processes, but they fail to overlay that information with the types of data they collect, use, and store. Use this data flow mapping tool to get started.

2. Reduce the Scope

The easiest way to comply with new data rules is to not possess data affected by them. After mapping business processes, identify which ones are critical to your company and which ones are not. Then, dispose of and stop collecting non-critical information, starting with the processes that make GDPR compliance more complex.

Although the EU doesn’t use Social Security numbers, it provides a good example for stateside companies. Scan the network for areas where Social Security numbers are stored; then, work outward to identify other collected information, such as dates of birth, addresses, and more.

Define what data is considered protected by the EU, and then use data discovery or loss protection and prevention tools to scan the environment for various rule sets on protected data.

3. Perform a Gap Analysis

After defining and reducing the scope, the next step is to identify areas of higher risk. Where does the company collect and store large quantities of data, how is that information stored, and what are the risks of breach or improper use of information? Work down from the area of highest risk to tackle pressing issues first. Then, do a full sweep of data collection areas within the company.

This process is sometimes referred to as a privacy impact assessment (PIA) or GDPR's required data protection assessment (DPIA). Rather than do a PIA or DPIA once and forget the results, establish a cadence to complete sweeps of all data collection areas. Hit different processes as time passes; then, swing back around and do it again to prevent oversights.

4.Designate a Privacy Officer

Compliance isn’t a one-time event. Create a committee to assess compliance on a monthly or quarterly basis. By starting with a group, the person who should be in charge will emerge naturally over time.

GDPR encourages companies to retain a privacy officer within the company. If the committee leader can't formally assume those duties, the officer could be a new hire, a pivot from an existing role, or simply the CIO. After setting up that role, empower that person to own the road map of compliance and correct mistakes when discovered.

GDPR sets a new standard for data stewardship across the world. It will take time before the full effects of the regulation become clear, but for CSPs and other companies involved in data, compliance must come first. Follow this guide to safeguard data, create better internal processes, and avoid costly penalties.

By Brad Thies

Brad Thies

Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

View Website
Multi or Hybrid Cloud, What’s the Difference?

Multi or Hybrid Cloud, What’s the Difference?

Multi Cloud You’ve likely heard about the latest trend in cloud computing commonly referred to as multi-cloud, and it is taking the world by storm. Hybrid and traditional cloud based systems are reaching their limits; ...
Webroot Threat Research Reveals the Top 10 Nastiest Ransomware Attacks of 2017

Webroot Threat Research Reveals the Top 10 Nastiest Ransomware Attacks of 2017

Nastiest Ransomware Attacks of 2017 BROOMFIELD, Colo., Oct. 31, 2017 /PRNewswire/ -- Webroot, a leader in endpoint security, network security, and threat intelligence, revealed the 10 nastiest ransomware attacks to hit within the past year. According to Webroot's ...
How IoT and OT collaborate to usher in the data-driven factory of the future

How IoT and OT collaborate to usher in the data-driven factory of the future

The Data-driven Factory The next BriefingsDirect Internet of Things (IoT) technology trends interview explores how innovation is impacting modern factories and supply chains. We’ll now learn how a leading-edge manufacturer, Hirotec, in the global automotive industry, takes advantage of ...
Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

EDINBURGH, Scotland, Nov. 21, 2017 /PRNewswire-USNewswire/ -- The Cloud Security Alliance (CSA), the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data and protect against data loss in the event of an IT outage or security incident ...
The Ligther Side Of The Cloud - Speed Browsing
The Lighter Side Of The Cloud - Autonomous Sleigh
The Lighter Side Of The Cloud - F96qL#5
The Lighter Side Of The Cloud - Virtual Office Space
The Lighter Side Of The Cloud - Recovery Experts
The Lighter Side Of The Cloud - Once A Year
The Lighter Side Of The Cloud - Dial-up Speeds
The Lighter Side Of The Cloud - DNA Storage
Cloud Marketing Professional

CLOUDBUZZ NEWS

72-hour rule: Can you identify and report a data breach within 3 days?

72-hour rule: Can you identify and report a data breach within 3 days?

In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era. The 72-hour rule included in the European Union’s General Data Protection ...
Silicon breakthrough could make key microwave technology much cheaper and better

Silicon breakthrough could make key microwave technology much cheaper and better

THURSDAY, MAY 24, 2018 - Researchers using powerful supercomputers have found a way to generate microwaves with inexpensive silicon, a breakthrough that could dramatically cut costs and improve devices such as sensors in self-driving vehicles ...
Oracle Blockchain Cloud Service and Financial Services Enable Next-Gen Blockchain Innovators

Oracle Blockchain Cloud Service and Financial Services Enable Next-Gen Blockchain Innovators

Students Tackle Real Problems and Succeed in Blockchain Challenge In an effort to accelerate blockchain innovation in Financial Services and other industries, Oracle recently joined academia and banking industry leaders as part of the Carolina Fintech ...