Implementing GDPR – 10 ways to smash through operational paralysis

The new GDPR should be motivating organisations to improve cybersecurity controls and systems, but in reality there is little movement

Implementing GDPR

‘GDPR becomes enforceable on 25 May 2018, and penalties for non-compliance are significant, including fines of up to 20 million euros or 4% of annual turnover for certain offences

Businesses are now slightly less than a year away from 25 May 2018, when the European Union General Data Protection Regulation (GDPR) transition period ends and enforcement begins — a deadline continually reiterated in a growing number of industry talks, seminars and articles.

This should be motivating organisations to begin mapping out plans for compliance and taking the necessary steps to protect user data via better cybersecurity controls and systems. Among other things, these steps include automating IT security monitoring, testing and measuring.

Despite (or perhaps because of) the sheer volume of information, advice and discussions around EU GDPR, many organisations are finding themselves in a state of organisational and operational paralysis – precisely at the time when plans should be well underway. And if your company is expecting an extension of the GDPR transition period, you will be in for a rude and costly surprise.

>See also: GDPR compliance: what organisations need to know

All indicators show enforcement will begin immediately on 25 May 2018, as agreed by the EU’s member states. However, it is not too late to put the wheels in motion to ensure your organisation is poised for success. Here are 10 key considerations to help move you from paralysis to effectively implementing an EU GDPR strategy for compliance.

1. Stop hesitating and start planning…today

To build trust among consumers that their personal information is secure, the EU GDPR dramatically increases the consequences of a data breach with fines of up to €20 million or 4 percent of turnover. Complying with the regulation is more than an IT challenge. It is a significant organisational issue that requires senior management to actively participate in, if not drive, the process.

Building the framework for effective implementation begins by bringing together key stakeholders from across the organisation – not just from IT, security or compliance departments. All stakeholders must be made to understand the risks of not getting it right and start by getting buy-in from all in developing an actionable plan that has a target “go” date well ahead of 25 May 2018.

2. Appoint a qualified data protection officer

Ultimately, one person needs to be accountable for ensuring compliance. In fact, you may be mandated to appoint a data protection officer, depending on the processing you perform (EU GDPR Article 37). While there are no strict guidelines in place, DPOs must have “expert knowledge of data protection law and practices.”

>See also: 6 steps to GDPR compliance

Ensure you adequately explore the DPO requirements to see if appointing someone internally makes sense, or if you need to recruit to fill the DPO position externally. There are copious resources available from organisations such as the International Association of Privacy Professionals (IAPP) that provide valuable information on finding a DPO.

3. Start building your record of compliance

Businesses are obligated to implement technical and organisational measures to show they have integrated data protection into the core of all data processing activities. This includes network security, reliability and data security regimes, as well as breach notification procedures.

It’s common sense to begin compliance measures long before May 2018 rolls around. Third-party experts such as the SANS Institute recommend you meet the compliance requirements as soon as possible and immediately begin building an ongoing record to make sure you don’t get caught out.

4. Document your efforts

As mentioned, track and keep records of the steps you’ve taken along the way to becoming compliant. The scope and requirements of EU GDPR are vast – especially if your business spans multiple countries and zones.

>See also: One year to GDPR: guide to compliance

The articles of the legislation place obligations on you to maintain documentation that proves you’re using technology that continuously monitors data and vulnerabilities. Having documentation in place earlier, rather than later, ensures you can show the length of time and the steps you’ve taken to achieve compliance in the event you are audited or need to defend actions later.

5. Develop a systematic approach

Maintaining compliance with security policies is an ongoing process requiring continuous oversight and action. Don’t make the mistake of thinking compliance is something to simply tick off your list and forget. It’s fundamentally important you develop a systematic approach to compliance management and auditing.

Today’s complex networks and IT infrastructure make this ever more challenging. Managing IPS, network devices, firewalls and other security controls for policy compliance can be a tough task in the best of times.

Building a systematic approach will ensure you are able to easily accomplish key tasks like checking firewall rules, accessing policies, dynamic routing and more for accurate device-level compliance analysis.

6. Automate, automate, automate

EU GDPR expects a considerable amount of documentation. Automation can help see you through the compliance process – from monitoring for breaches to speeding up the mandatory notification process. Be alert to situations where you can lean on technology to implement automated processes.

>See also: GDPR: the good, the not so bad and the opportunities

For example, automating security policy compliance audits to check compliance at regularly scheduled intervals makes management easier and more effective. Many tasks, including collecting, normalising and analysing data from security controls can also be automated, helping to ensure adequate risk assessment of network changes have been completed before said changes are live and put data in jeopardy.

7. Get a handle on change management

Large enterprise networks are fluid as IT teams add new users, open and close access paths, modify things like firewall rules, and even migrate to new, hybrid networks that include virtual and cloud environments.

This situation makes it a continual challenge to maintain compliance. Getting a better handle on change management procedures across all your networks — physical, virtual and cloud — ensures those changes do not compromise overall compliance and specifically EU GDPR.

Manual change management processes can work for smaller organisations, but for large and complex enterprise networks, a hybrid approach where some tasks can be automated should be explored and implemented to ensure systematic and comprehensive rule lifecycle management and end-to-end change management workflows without introducing new security or compliance risk.

8. Stay on top of key issues

While EU GDPR is an evolution of the 1995 EU Data Protection Directive, other political factors from inside and outside the EU are worth noting. On the heels of GDPR, France adopted the Digital Republic Rights Bill in 2016 while the Netherlands has had a data breach notification system in place since January 2016. A representative of the Dutch Data Protection Authority (DPA) indicated in the first 100 days it received more than 1,000 breach notifications.

>See also: The road to GDPR implementation: challenges and opportunities ahead

Germany has a long-standing policy on data security and privacy with the German Data Protection Act, also known as Bundesdatenschutzgesetz (BDSG), and has just passed the new Federal Data Protection Act or “new BDSG”, that will replace the current German Data Protection Act in May 2018. Although this act was passed to get German law in line with EU GDPR, it is complex and exceeds the scope set by GDPR causing some uncertainty. Keeping abreast of the variances and proceedings within the EU’s membership will be essential.

9. EU GDPR in a post-Brexit world

The United Kingdom played a major role shaping the GDPR and the government has signalled its intent to enact the GDPR into UK law, regardless of the outcome of Brexit negotiations.

Additionally, the GDPR dictates any data processor handling EU citizen (personal) data is within the scope of GDPR, irrespective of the geographical location of the data processing. Industry analyst Duncan Brown of IDC has been counselling firms in the US, UK and beyond, and says that those “handling EU citizen data will therefore still have to comply with GDPR, and technology firms selling to the EU, such as cloud and data centre services, will also have to adhere to EU rules.”

While Brexit negotiations continue, IDC recommends UK companies should assume they will have to adhere to the GDPR requirements – either because it is most likely they will handle EU citizen data or the UK government will develop laws similar to GDPR.

>See also: GDPR: What do you need to know?

10. Stay ahead of the game

There is no shortage of advice on EU GDPR. But it is important to consider the source and what stakes they may have in implementing EU GDPR. There are many great resources and materials to help you sort through the process as you move from planning to compliance.

For example, the National Cyber Security Centre has a “10 Steps to Cyber Security” document which outlines steps organisations can take to begin to construct a stringent cybersecurity posture. While the GDPR may not have a clear-cut and direct correlation with US law, the country’s National Institute of Standards and Technology outlines many security controls that should also meet GDPR requirements.

If your organisation has many of these already in place, you likely have a leg up on the compliance process. If not, it may be a good place for additional guidance. Also, watch for technical guidance and codes of conduct from relevant EU authorities, such as regulators in member states and EU-wide authorities, including the Article 29 Working Party, which will become known as the European Data Protection Board.

 

Sourced by Justin Coker, Vice President EMEA, Skybox Security

 

The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Comments (0)