GDPR is not less than 360 days away and it's starting to get the attention of the executives in companies. Why do they care now? There have been lots of directives before. The key difference is this is no longer a directive, which a local country can opt into, GDPR is a regulation each country must obey. It's also the fines.. 4% of global turnover or 20 million. That's a lot of money in anyone's books. ISO27001 in a lot of companies is all about getting the procedures in place for reasonable governance and ensuring the checklists and minimum levels of controls are in place to secure a favourable audit. Outside the compliance department, often there are not the levels of adoption that the accreditation aspires to.
So what are some simple steps an organisation can take to ensure compliance?
Discover
Find out the data you hold on consumers and staff and where you hold this. You need to engage with as many stakeholders and departments as possible and see if IT have the data discovery tools to assist you.
Control
Manage how the data is used and who has access to it. Categorise the data into personal data items and less important data. If you don't have the legal authority to keep the data remove it. If you do, ensure it is also encrypted to ensure its no use to a person that may steal it. Ensure to encrypt all storage and ensure that you have a full record of all the places this data can be found, be it in storage tapes, cloud, databases or paper. If it's been accessed by systems, ensure these are noted centrally for easy reporting.
Protect
IT departments exist for a reason. They need to be at the core of an organisation. Shadow IT is something that flys in the face of the centralised compliance approach of GDPR. IT need to be the gateway through which all data flows and all systems are protected by them to ensure against data breaches. If you scan the systems and find vulnerabilities , fix them as soon as possible. If you develop your own software, use the OWASP tools to scan your code to ensure as part of your DevOps approach. If it finds vulnerabilities, share this data with other IT people as other systems may also have the same risks yet to be detected.
If there is a breach, ensure that you inform the affected users as soon as possible and that the GDPR breach is reported to the regulator within 72 hours max.
Report
If a person contacts you looking for the data you store on them, ensure that this data is readily available and can be reported on in a common format. Keep the required information to fulfil these requests and all the data about the request themselves. If you respond in a quick fashion, then hopefully the person will sing your praises from a height on the social channels and set you apart from the competition.
Review
Its all well and good to do this as a once off effort, but each of the points above will need to be done on an ongoing basis. Also keep analysing your data in the chance someone has created fields or data that could compromise your GDPR compliance.
This ensures you stay compliant and will reduce the overall risk for your business.
Following these quick steps will greatly help you ensure compliance in regard to GDPR and keep the risk of a debilliatating fine less likely.
Make sure to like my post and feel free to comment and challenge my points if you want..