This new year brings the most significant change to data privacy regulation in two decades with the European Union (EU) General Data Protection Regulation (GDPR). The GDPR shifts the responsibility for protection of personal information to those who collect and manage it, compelling organizations to balance the risk of data compromise with the benefits of use.
Any organization handling personal data of EU citizens must be compliant with the GDPR by May 25, 2018, or face heavy penalties. Organizations in alignment by the deadline will earn reputations as trusted stewards of personal data and win customer loyalty.
Achieving and maintaining GDPR compliance requires implementation of technical and organizational measures to identify, control and manage personal data. Organizations must:
The transition can seem overwhelming, but with some guidance, meeting the cybersecurity requirements for GDPR can be accomplished in six steps. This measured approach starts with a comprehensive look at the personal information in an organization and how it is stored, using data discovery and gap assessment. Once exposure risks are identified, appropriate security controls, architecture, intelligence and services are put in place to meet the new requirements in the most efficient and cost-effective manner.
Identifying all the personal information within an organization and putting procedures in place to properly log, store and manage it is no small task. A combination of manual and automated methods enables comprehensive discovery of structured and unstructured data. Once gathered, risk-reward rationale for retaining and protecting personal data should be applied. Retention is typically justified for data sets that generate profit for the organization, support normal business operations or demonstrate regulatory compliance.
Next, a gap assessment reviews security controls, architecture and intelligence capabilities against GDPR requirements to prioritize resources for a smooth path to compliance. Updating security controls using established ISO27002 guidelines is a good starting point. To prioritize the protection of personal data, applying capabilities such as microsegmentation, identity management and encryption strengthens security architecture. Lastly, ensuring adequate security monitoring for breach detection and incident reporting within 72 hours is required.
Not all organizations have the dedicated security resources or expertise required to evaluate, implement and maintain the personal data protections of the GDPR. In these situations, security services are a cost-effective strategy for extending internal capabilities in operations, assessment and design. GDPR requires a much higher level of vigilance and ongoing operational security than previous security regulations. Tapping managed security services that provide identity management or security monitoring can help organizations successfully meet the new requirements.
By aligning with the GDPR, organizations will begin to embed privacy practices into processes moving forward. Data protection assessments, such as a privacy impact assessment (PIA), help identify and address privacy issues that might arise when developing new products and services, or engaging in new activities that involve the processing of personal data. Privacy by default is achieved by ensuring that the processing of personal information is only undertaken as necessary for the originally intended purpose, retained for the time necessary for that purpose and not made available to an indefinite number of people.
For more information about preparing your organization for GDPR, download our GDPR Readiness Guide.