Getting ready for General Data Protection Regulation (GDPR) compliance doesn't have to be the daunting task many make it out to be. If you are not familiar with the regulation, then you can learn more about it here. As an updated version of the European Union’s (EU) current data protection measure, it will affect any organization processing the personal data of EU citizens. With that in mind, today we’ll talk about six things you can start doing right now to get GDPR ready.
1. Read the Articles and Know Your Responsibilities
The first, best, and easiest way to get ready for the GDPR is to learn about the regulation itself. Reviewing the 99 articles will help you to become familiar with what is stated but also what is expected, and truly what it means for your organization.
The articles lay out what organizations will need knowledge of, in order to understand the GDPR, including important definitions, who is affected, how to achieve compliance and more.
Once you have a working knowledge of the regulation, you'll want to make sure all relevant people in your organization are aware of the key points. This includes senior management, stakeholders, and anyone handling personal data and data security. Despite knowledge of the regulation, many organizations report they are still unsure how to proceed.
2. Understand What Data Needs Protecting
The GDPR is concerned with certain data points, and it will make your job much easier if you know what data your organization processes and if that data is affected. The major types of data covered by the GDPR are sensitive information or personal information that can be used to identify, locate, or contact a resident of the EU. This includes data that identifies, name, location, gender, social or cultural factors, economic information, physical description, email address, and genetic identifiers as well.
As pointed out by Symantec, the amount of data collected by organizations has increased from 1.2 Zettabytes (ZB) in 2010, to 7.9 ZB in 2015. Some projections believe by 2020 the amount of data gathered will reach 40 ZB.
3. Designate a Data Protection Officer for Your Organization
Most organizations that deal with customers or data in the EU will be required to appoint a data protection officer in order to be GDPR compliant, especially if you buy or sell goods to EU citizens. However, even if you're not required by the GDPR to have a DPO, it may still be a good idea for an organization’s overall data security policies to appoint one anyway, as these individuals are responsible not only for ensuring compliance, but also for understanding the regulations, training staff about proper data handling, providing advice and information, performing audits, and being a contact point between your organization and supervisory authorities.
4. Integrate Data Protection by Design and by Default into Your Policies
The easiest way to ensure your organization is doing everything it can to ensure data security and privacy is to have measures in place that are built right into your regular policies. To start, conduct a risk assessment to see where breaches and problems might be most likely to occur, and where your most sensitive data might be at risk. From there, you can implement safety measures into all your policies to protect your data. A few examples include:
· Only using personal data that is mandatory for a particular transaction
· Pseudonymization of personal data to protect identities
· Only retaining that data that is necessary for further use
5. Adopt a Policy that Prioritizes Consent and Transparency
Privacy and consent are at the crux of many elements in the GDPR, and it’s crucial that your policies regarding personal data be transparent. For instance, you must make it clear what data you'll be collecting, how you'll use it, and where you'll store it.
Furthermore, implied consent doesn’t count (such as having a pre-checked box), and you can’t make changes to the policies without additional consent. Finally, a data controller will also be responsible for providing records demonstrating consent was properly given, which means accurate documentation for obtaining your strategy is needed.
6. Be Prepared to Deal with Breaches
Another important element of the GDPR is the onus it places on organizations to notify the authorities and all affected parties about a breach within 72 hours. Not only does this mean you will need policies and people in place to be watching for breaches at all times, but it also means you must have a plan to take immediate action if your data is compromised.
The fines for non-compliance are hefty, and you don’t want to find yourself in a situation where you're not ready for the changes.
File Integrity Monitoring for GDPR Compliance
CimTrak is an invaluable file integrity monitoring software to help with GDPR compliance. CimTrak provides heightened levels of security to keep your systems, files, and data secure. To learn more about GDPR compliance download our solution brief today.
March 27, 2018