Europe is a couple of months away from enforcing the General Data Protection Regulation. With this limited time, several studies still show that most companies are not prepared for the new requirements.
The fact remains that they will have to find a way of complying with this law before May 2018 if they want to remain operational in Europe without incurring heavy fines. The law essentially does two things; protects the EU citizens’ data rights, and safeguards their privacy. Therefore, it is clear that any organization that does business within the single market or deals with EU clients must comply.
GDPR increases responsibilities to the organizations by introducing more rights for data subjects. Some of these rights include the right to erasure, right to access and right for rectification of information. This alone tells organizations that they need an all-inclusive data map that covers which kind of information is stored, where it is stored and which entities have access to it. The bottom line is that they need to create new systems that enable them to carry out specialized functions with much efficiency as demanded by the new law. Before that, they have to go through several steps.
GDPR System Audit
The first stage involves evaluating the organization’s situation. This will give more insight into how much should be changed to attain compliance. To complete this first step, the firm would have to audit its data, service partners and all devices with access to personal data.
Data controllers will require organizational and technical security measures to protect the data. Data processing occurs in various methods. For instance, it can be stored on local devices located in the office, it can be printed on papers or it can be stored and processed remotely through the use of cloud technology. The most important factor is to be aware of the location of the data, those who can access it and on what devices it is stored.
Service partners such as the cloud storage and Saas who have access to the data must be audited as well. The organization must ensure that such partners also comply with the requirements. On this point, it is worth noting that the law holds processors responsible for non-compliance or data breaches. As a result, both the organization and the processing partners might be liable for the fines even if the problem was entirely on processing partners such as cloud provider. It is also essential to ensure that all devices that access personal data are known whether they are formally sanctioned or not.
Access Control
This step is concerned with regulating access to company data, maintaining records of those who gain access and preventing data breaches. To achieve effective access control an organization must control administrative privileges. It will have to ensure that regulatory actions are carried out by selected individuals. This would eliminate the risk of other people gaining control of the network. The organization should also establish tiered access to personal data to ensure that access is granted on a need to know basis. The organization must also ensure that it has the right to retrieve and delete data from all devices that access personal data.
Make Significant Investments in New and Secure Devices
Companies must invest in strong security structures that can detect and respond to breaches efficiently. They can carry out scans and software updates on a regular basis. Installation of anti-malware, firewall and antivirus are still significant, but they may not be foolproof. The tiered access security model is also essential at this stage. The organizations will need to invest in real-time detection and response software. The real-time breach responses would be required to secure the endpoints. This may include building a Security Information and Event Management (SIEM) tool. Staff training is also important in this process. Most of the cyber threats usually emanate from insider negligence. Companies must invest in staff training to prevent costly mistakes such as opening unknown attachments.
Apart from the technology related security structures, organizations must observe certain key provisions that go hand in hand with these steps. They include ensuring data breaches are reported within the stipulated time. The data subjects’ rights such as right to erasure and data portability must always be observed. Companies should always transfer data to other companies that are compliant to assure privacy safeguards.