“Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you.” RSA 2018
No one likes looming deadlines. You might have a sticky note on your monitor or a reminder on your white board but sometimes it’s easier to let tomorrow’s deadline take a back seat to the mini-crisis happening today. Of course, the closer we get to a deadline, the tension begins to mount … the stress builds … and we start to feel like we’re running out of time. We’re here to be the bug in your ear to remind you the May 2018 GDPR deadline is quickly approaching. Fortunately, if you do not yet have your GDPR strategy in place, there’s still time to implement a plan.
What should your strategy and plan include? Once you have that plan, what happens next? Here’s our take on the 5 Steps to Achieve GDPR Compliance:
1. Identify It
It’s time to understand how your business is managing data. It means finding out where the information is stored, who has access to it, and how long you are keeping it. Take inventory of your data sources. Whether it’s structured or unstructured, sitting in a data warehouse or in a Hadoop cluster, this inventory is critical. Remember, GDPR is about data privacy so you need to know what personal data is being stored and used. Identification and inventory is the first step to evaluating your risk exposure.
2. Discover It
Ok, so now you have access to all your data sources. Now it’s time to find out what personal data is within those data sources. Simply put, you must see it, know it, AND be able to search it. This means being able to extract, categorize, and catalog various personal data elements. This cataloging cannot be accomplished manually, but requires proven tools to help automate and ensure data quality.
3. Control It
You know where the data is. You know what’s in the data. The next step in achieving GDPR compliance is establishing proper controls. Document and share your company’s privacy rules across all business lines. For example, consider that your teams need to understand the sensitivity of the data they work with and their role in keeping it safe. (In many cases, this involves educating users about what not to do.) Establish and formalize appropriate access and provisioning rights based on roles and definitions within a documented governance framework.
4. Secure It
Article 32 requires that measures implemented must ensure a level of security appropriate to the risk. So, the next step, a critical step, is to keep sensitive data where it belongs. Prevent security breaches with a thorough risk assessment that looks at potential threats to your company’s data and vulnerabilities. Assess your internal security programs and those of your third parties. Then establish a process to identify if, when, and where a breach takes place and the appropriate policies and notification schemes that will be triggered in that event.
5. Maintain It
Accountability for GDPR standards and adherence to compliance is an ongoing, evolving process and requires vigilance. It requires auditing and reporting and tools to automate such tasks. Most organizations are not yet adequately prepared for compliance with the GDPR. Fortunately, if you’ve teamed with the right technology partner, GDPR compliance becomes a good opportunity to upgrade your organization’s posture to meet both the regulation’s requirements and improve your overall security capabilities.
Trace3’s holistic approach to your business, underscored by our Data Management Group, leverages industry leading technology solutions combined with consulting and engineering expertise (aka “secret sauce”) to create and provide positive, predictable outcomes for our clients.