The CISO’s pre-EU data protection regulation checklist

The countdown to the EU Data Protection Regulation has begun and any enterprise that hasn’t already started to get its systems in order may be in for an unpleasant surprise.

The reform is known as the General Data Protection Regulation (GDPR) and its goal is to bring the data protection rules currently governing the 28 countries of the EU into the modern era.

It will see enterprises having to adhere to rules and regulations that will remain consistent across all countries and has the potential to protect both the business and the individual.

As of 15 June all member states agreed to the laws and the robust regulations that will be unified across the EU. So what do organisations need to do before January 2016? Here is the checklist the enterprise needs.

1. Locate the data

The most important concern for any organisation is that they know precisely where their data is stored. The GDPR outlines precisely what the organisation’s responsibility is when it comes to the storage and gathering of data and covers everything from service to data centres to the cloud.

The fact is that many businesses are not entirely sure where all their data is stored and need to ensure that the correct policies are in play. Data access, data governance and data protection must be implemented rigorously, and all data repositories must have the right audit and control policies enforced.

Tip: For the organisation to effectively prepare for the impact of the GDPR they must have a clear understanding of the jurisdiction in which their data is stored.

2. Define access

Once the location of data has been established, the business needs to determine precisely who has access to what data. Personally identifiable information (PII) or financially sensitive information should not be easily accessed and must have controls in place to determine who can use, access and share it.

Tip: Know who has access to highly confidential information and ensure that there are rigid controls in place to monitor, secure and manage this access.

3. Understand the legalities

Data now comes with a heavy legal responsibility and each organisation is responsible for ensuring that it is secured, managed and obtained within the strictures of the GDPR.

The amends to the data protection regulation places the onus on the business when it comes to data control. The organisation has to develop a rigorous data and information framework that adheres to legislative parameters – otherwise, a breach could end up costing them far more than a shaken reputation.

This doesn’t just protect the consumer, it also provides the organisation with a measure of protection should the worst come to pass. If the business is compliant, it is seen to have done everything it can to protect its data.

Tip: Define all data protection and control within the legislative framework to ensure absolute compliance.

4. Know the security risks

This check box is done almost in tandem with the first three: locating and defining areas of potential risk and developing systems and solutions to address any loopholes. The latter will be further defined by the GDPR and the entire security system should be re-assessed in line with the new legislation to ensure compliance.

It is also vital that the modern organisation be more flexible and proactive than ever before so as to stay one step ahead of crime. Security is constantly tested by external forces and the best way to be prepared is to be constantly on the alert.

Tip: Develop a proactive, flexible and adaptable security system to ensure that the organisation stays one step ahead of risk.

5. Assess the future

It is mid-way through 2015 and the amended GDRP is predicted to hit the table early 2016. Now is a good time to step through the checklist and to ensure that your organisation is on its way to compliance.

Start data mapping as soon as possible to determine the location of data and develop a strategy to combat any shortfalls or challenges.

Tip: Start early so there is enough time to address any issues and ensure the organisation is ready for the GDPR.


Sourced Nick Pollard, Guidance Software

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics