GDPR Compliance

A Quick and Dirty Guide to GDPR Compliance

GDPR Compliance

Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union will go into effect. Although its goal to protect consumer data is admirable, about a third of global companies don’t know whether they need to comply with the stricter guidelines.

Spoiler alert: They probably do.

Even companies outside the EU are subject to the regulation if they store or process the data of people who live in Europe. Companies that don’t do any business within the EU aren’t safe, either — just having the data of EU citizens from other channels is enough. Cloud service providers, which were previously insulated from most data privacy liabilities, will be held responsible as “data processors” under GDPR.

Complying with the new rule will not be cheap, with 68 percent of affected U.S. companies anticipating costs above $1 million. Companies that fail to comply could be subject to fines of up to 4 percent of their global revenues. That’s an extreme punishment, but it could hit any company that fails to abide by the GDPR. Companies that only pay lip service to the rules will see the steepest penalties.

data compliance

How, though, can businesses log every part of every transaction involving EU citizen data? For CSPs with legacy systems, such sweeping changes are nearly impossible — and, when possible, extremely costly.

The better plan is for companies to take this opportunity to upgrade their data security processes. Don’t think of GDPR as the framework. Instead, build a new one. Start and follow data flows; then, map out any business process that collects, uses, retains, stores, or transmits information that falls under the new rule.

The Privacy Challenge

Companies usually only need to worry about privacy when using consumer information. Under GDPR, however, anyone who processes the information is subject to scrutiny.

This new level of responsibility requires companies to stay vigilant about how they interact with consumer data. For CSPs, that means ensuring data can only go where it should, preventing sensitive information associated with one product from being transferred to another.

Logging and tracking information is the most difficult — and most important — aspect of the new rule. EU citizens will soon have the “right to be forgotten,” which allows them to tell search engines and CSPs to erase them from the web.

To respond to requests like the one above, companies must log and tag all their information meticulously. That way, not only can they delete it, but they can also be sure that the information is truly gone. Without these “privacy by design” policies in place, companies will struggle to tell citizens (and regulators) that they’re fully confident the data has been erased.

The Quick and Dirty Guide to GDPR Compliance

Clearly, companies around the world face a steep climb to GDPR compliance. But by following these straightforward strategies, companies can prepare themselves to be as compliant as possible, safeguard EU data, and avoid losing chunks of their revenue in the bargain.

1. Map out Data Flows

By plotting out the process by which they consume, store, and use consumer data, companies can understand to what degree GDPR affects them. Only then can they start to safeguard it according to GDPR standards.

The first question is easy: “Do we have EU data?” If the answer is “no,” then the next question becomes “Are we sure we are not collecting EU data and will not in the future?”

Check whether any clients have customers in the EU and ask whether they collect data. If they answer “yes” to either, ask what their GDPR classification will be. Classifications include processors and controllers, each with its own privacy obligations under the new rule.

With those questions answered, designate someone within the organization to map and maintain data flows. Many businesses have a great deal of documentation on processes, but they fail to overlay that information with the types of data they collect, use, and store. Use this data flow mapping tool to get started.

2. Reduce the Scope

The easiest way to comply with new data rules is to not possess data affected by them. After mapping business processes, identify which ones are critical to your company and which ones are not. Then, dispose of and stop collecting non-critical information, starting with the processes that make GDPR compliance more complex.

Although the EU doesn’t use Social Security numbers, it provides a good example for stateside companies. Scan the network for areas where Social Security numbers are stored; then, work outward to identify other collected information, such as dates of birth, addresses, and more.

Define what data is considered protected by the EU, and then use data discovery or loss protection and prevention tools to scan the environment for various rule sets on protected data.

3. Perform a Gap Analysis

After defining and reducing the scope, the next step is to identify areas of higher risk. Where does the company collect and store large quantities of data, how is that information stored, and what are the risks of breach or improper use of information? Work down from the area of highest risk to tackle pressing issues first. Then, do a full sweep of data collection areas within the company.

This process is sometimes referred to as a privacy impact assessment (PIA) or GDPR’s required data protection assessment (DPIA). Rather than do a PIA or DPIA once and forget the results, establish a cadence to complete sweeps of all data collection areas. Hit different processes as time passes; then, swing back around and do it again to prevent oversights.

4.Designate a Privacy Officer

Compliance isn’t a one-time event. Create a committee to assess compliance on a monthly or quarterly basis. By starting with a group, the person who should be in charge will emerge naturally over time.

GDPR encourages companies to retain a privacy officer within the company. If the committee leader can’t formally assume those duties, the officer could be a new hire, a pivot from an existing role, or simply the CIO. After setting up that role, empower that person to own the road map of compliance and correct mistakes when discovered.

GDPR sets a new standard for data stewardship across the world. It will take time before the full effects of the regulation become clear, but for CSPs and other companies involved in data, compliance must come first. Follow this guide to safeguard data, create better internal processes, and avoid costly penalties.

By Brad Thies

Brad Thies

Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

View Website

12 Promising Business Intelligence (BI) Services For Your Company

12 Promising Business Intelligence (BI) Services For Your Company

Business Intelligence (BI) Services Business Intelligence (BI) services have recently seen an explosion of innovation and choices for business owners and entrepreneurs. So many choices, in fact, that many companies aren’t sure which business intelligence company to use. To help ...
15 Promising Cloud-Based Video Conferencing Services

15 Promising Cloud-Based Video Conferencing Services

Cloud Video Conferencing Services We have put together a compilation of some of the best cloud based conferencing services for businesses. The cloud video conferencing services market is expected to reach US$ 6.40 Billion by 2020 from the current $3.31 ...
Infographic - Internet of Things (IoT) Will Be Top Technology Investment

Infographic – Internet of Things (IoT) Will Be Top Technology Investment

Internet of Things Investment Investors are jumping all over the opportunities abound when it comes to the Internet of Things and Big Data. There is simply way too much money at stake to ignore the potential that is going to truly ...

SPONSORS

What Is Net Neutrality And Why Is It So Important?

What Is Net Neutrality And Why Is It So Important?

What Is Net Neutrality? Net neutrality is a concept that has been the centre of a lot of debates recently, ...
Moving Test and Dev to the Cloud: How the "As-A-Service" Economy Delivers Tangible Benefits

Moving Test and Dev to the Cloud: How the “As-A-Service” Economy Delivers Tangible Benefits

Moving Test and Dev to the Cloud Have you ever seen the old parlor trick in which a person pulls ...

Cloud Community Supporters

(ISC)²
AWS
HPE
CA Technologies
Cisco

Cloud community support comes from sponsorship, service opportunities and collaborative network partnership initiatives.

They’re Baaack! Smile you are on Camera – Everywhere!

They’re Baaack! Smile you are on Camera – Everywhere!

Remember Google glasses? Better yet, remember glassholes? It all came and went in just a flash as society reacted to nerds wearing pretentious and creepily intrusive face gear. Well beware, they are back and with a vengeance. It seemed so cool and with so much
How Deep Learning Will Change Customer Experience

How Deep Learning Will Change Customer Experience

Deep learning is a sub-category within machine learning and artificial intelligence. It is inspired by and based on the model of the human brain to create artificial neural networks for machines. Deep learning will allow machines and devices to function in some ways as humans

"Top 100 Brand Influencer, Cloud”
-ONALYTICA

"Best Cloud Computing Blog"
-SYSADMIN MAGAZINE

"Top 10 Sites For Cloud Computing"
-DIGITALISTMAG SAP

"Top 10 Cloud Computing Blogs”
-MARKETING ENVY

"Top 25 Must Read Cloud Blogs"
-CLOUDENDURE