Crunch time for GDPR - how to prepare. Eight steps to compliance.
Crunch time for GDPR - how to prepare. Eight steps to compliance.
The General Data Protection Regulation (GDPR), due to come into effect on the 25th May 2018, will impact the compliance landscape way beyond the coastline of the UK. All organisations based at least partially online and handling data across the EU must comply with the new rules to ensure data protection.

Yet, it seems many businesses aren't prepared. Research undertaken by cloud solution provider, Calligo, found that 69 percent of UK businesses are “inadequate” in their preparation for the regulation's introduction. But, with a hefty fine of €20 million, or four percent of the company's global revenue looming, being unprepared is dangerous.

The good thing is, businesses still have plenty of time to prepare over the next ten months. To help you get started, below is a brief overview of key activities and their associated time frames that will help get your ducks in a row.

Communicate impending changes to C-Suite

This should be done as soon as you can prior to kicking off your GDPR-readiness project. Ensuring your organisation's key decision makers are made aware the law is changing and how this will impact your business is essential. GDPR will significantly impact your business' security, thus ensuring everyone is aware of the potential changes will help to get everyone engaged.

Identify the information your organisation holds

You simply can't protect sensitive data if you don't know what data you have or where it is located. Conduct a thorough audit of your business data to identify where on your networks it resides. Maps can be used to help identify the information and provide visibility around the collection, storage and processing of the data across your networks. Be aware that this will take one week to four months, depending on the size of your organisation.

Review and establish access rights

Review access permissions to data across your entire network and implement contextual policies which ensure only those with a business need are provided access to the data. This will require one week to a month to be completed. Set up a process for regular reviews of data permissions and revisions to ensure robust data governance, and to implement a system to deliver a detailed audit trail of file permission changes which is clear and up to date. 

Implement robust data monitoring capabilities

It's no good having the right access policies in place if you cannot monitor or enforce these. A monitoring solution will help to identify any existing security gaps, provide visibility around data movement and deliver detailed reporting and forensics analysis when you need it. If monitoring alerts you to issues, go back, address these, and continue to monitor the area closely. A timeframe of one week to a month should be allocated for this.

Create your Incident Response Plan

GDPR requires you to notify the supervisory authority of a data breach, or face hefty fines if you don't, or can't. An Incident Response Plan will take one week to a month to develop and comprises of four stages:

1.       Immediate action to stop or minimise the breach
2.       Post-breach investigation that must include a notification process to customers and the supervisory authority
3.       Restoration of affected data and resources
4.       Breach notification
Someone must be in charge

Appoint a DPO or a person in charge to "own" GDPR compliance – the sooner the better. Your organisation under the GDPR requires someone who can ensure the privacy policies, customer consent and data protection controls are in place and functional. In addition, responding to subject access requests, ensuring the right to be forgotten is executed upon request and if necessary carrying out a Data Privacy Impact Assessment needs to also be owned.

Ensure staff are trained in data protection

Plan early to ensure resources are in place and hiring timeline is accounted for. The GDPR requires staff members to exercise due diligence when it comes to the collection, storage and processing of personal, private information. A key part of this is an information security training programme and a hire, such as a Data Protection Officer (DPO), to provide guidance.

Lastly, don't panic. Although it may create big challenges for organisations to face, in the long term GDPR will promote greater data security for customers and employees alike, which is positive for everyone. Improving the security of data and realising the customer benefit of transparency will bring your organisation a large risk reduction and avoid landing in hot water with the supervisory authority.

Contributed by Dr Jamie Graves, CEO, ZoneFox

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.