Last week we had an overview of the GDPR and what changes it brings to existing data privacy legislation. Although the intentions behind it are good and the public will enjoy increased protections, the regulation undoubtedly places a significant strain on companies. This is especially true if you consider the consequences for noncompliance. As such, I thought it would be a good idea to create an agenda that would serve as an approximate guide by those about to start or already undergoing this process.
The first step towards compliance is to conduct an enterprise-wide evaluation of your data privacy policies and practices. You can break down this initial step into two main segments. At first, you’ll need to engage in a data detection and classification exercise. This stands to reason, I hope. After all, you can hardly safeguard your customers’ information if you don’t know where it lives, or what risk profile it carries, don’t you agree? Remember to be thorough, too, even if it means tedium or ruffling a few feathers – it will save you a lot of headaches later! Do you need a data classification tool? Not all companies benefit from these, so ask for a solid proof of concept. As you identify these repositories and gradually build up a more accurate data landscape, be sure to classify data according to sensitivity. The visibility you gain by doing this will prove essential afterwards in prioritizing and putting together a solid data privacy strategy.
Modeling the flow of data is very important as well. The risk profile of data handled by your company is closely connected to the way private information moves between different parties, across different channels. Mapping this movement highlights the most hazardous areas to your team. This might be for instance third parties, which by the way, according to the GDPR you will need to audit regularly in order to ensure their own processes and infrastructure are up to par.
Now, the second step in achieving that all-important GDPR compliance is doing a gap analysis in order to uncover gaps between your existing risk mitigation environment and the requirements of the GDPR. This should be relatively straightforward if you’ve been diligent during the initial step. To bring structure and clarity to the process, ask yourself – as an organization, how much risk are we comfortable with; and does our risk mitigation strategy cover all bases (people and skills, processes, infrastructure)? Identifying your company’s risk appetite and scoping the project correctly will help you produce accurate and meaningful results.
Moving on to step number three, we have strategy development. This step is comprehensive, which is why having an organized approach is key. You may get started by creating a business case for your GDPR program. In it, you’ll want to account for all the investments that are necessary to achieve compliance. The main areas you will be looking at are consulting, new technologies, as well as staff recruitment and training.
External help is often required for organizations with either a low cybersecurity practice maturity or vast environments that are simply too complex to deal with using only inside knowledge and skills. For instance, cyber-insurers, incident response companies and other affiliate services providers have become increasingly more sought after since the adoption of the regulation. Yet, that doesn’t mean you should jump on the bandwagon blindly. Assess your needs carefully and only contract external services if you need them, opting for a solution that provides obvious benefits.
As far as staff goes, you will need to provide security training for your employees in order to bring them up to date on the importance of your clients’ personal data. This may come as a surprise but did you know far more data leaks are caused by Pete, the guy from HR, than cybercrime groups? Additionally, you may have to hire a data protection officer if your main activity involves dealing with private data. Oh and then there’s the fines – it might be a good idea to set aside some money, should the worst happen.
After documenting all the resources and expected costs, you can begin developing the strategy to address the problems you highlighted in the second step. The best advice I can give you at this point is to create an in-depth roadmap and act methodically. Start by evaluating risk and implementing security controls correctly. Separate the must-have controls from the nice-to-have ones. Get used to prioritizing urgent problems. Otherwise, your resources might run out before you actually bring about any meaningful improvement.
Also, ensure the controls are in accordance with the GDPR. Identity and access management, for example, should be managed in line with purpose-limitation policies. If you are considering deploying a data loss prevention solution, make certain the product supports systematic reporting. Encryption, too, is tricky. Your team may not have the capabilities to manage the encryption keys on-premises. However, if you do decide to house them off-site then it is imperative you remain the exclusive owner of the keys. Next up, consider your processes. The privacy by design mandate of the GDPR means, in all likelihood, that many of your enterprise processes will have to be redesigned. The first thing you’ll want to set in place is a process to find out the risk score of all data-driven projects. When a project passes the high-risk threshold, your team should conduct a serious privacy impact assessment.
The other mandates that will be especially relevant at this point are data portability and obtaining customer consent fairly. These will require process adjustment and fine-tuning, as well. Your privacy notices and other similar corporate correspondence will have to be tailored so they accommodate the GDPR without ruining your corporate persona and tone of voice. To avoid costly disruptions, I suggest employing customer journey maps – they are a fantastic tool for identifying potential pain points ahead of time.
Once you are done carefully constructing your roadmap and are confident you may have your strategy nailed down, remember to audit everything. Question all the controls, all your new or updated processes, every revised piece of communication – it’s preferable you find the errors instead of the regulators. And last but not least, I just want to add you should keep in mind the fact that GDPR compliance is an ever-going process. So instead of thinking about the work ahead as dash to cross the finish line, rather consider it an endurance race in which the main goal is to not fall behind.
I hope you found this high-level guide useful. Join me again next week when we look at how to turbocharge your GDPR compliance efforts with EA.