With the General Data Protection Regulation (GDPR) going into effect at the end of May this year, organizations are rushing to understand what they need to comply (and prove that compliance). A recent webinar with Blancco, 3 Step IT and D8amatiks covered this topic from a range of different angles (GDPR building blocks) to help prepare attendees for whatever might come their way. Topics covered include:
- How to know what assets and data you have so you can formalize proper processes and policies
- How to meet the GDPR’s ‘Right to Erasure’ requirement
- How to ensure compliance across the entire data lifecycle
Here are some of the highlights within these three topics:
- Privacy Must be Your Number- One Priority
Privacy is as important as customer satisfaction and revenue for your business. Organizations must build privacy into every part of their business moving forward to achieve compliance with global regulations such as the GDPR.
Speaking of the GDPR, it is not a destination; it’s a journey. No organization will be 100 percent GDPR compliant by May of this year. Your organization just should do its best to follow the regulation as closely as possible and realize that the regulators aren’t going to come after you with a strict list of what you have and haven’t done—at least not right away.
How do you bring privacy into your company’s DNA? There are three steps you must take to build your privacy “house”:
- Systems and process mapping
- Data inventory or record of processing activity
- Data privacy policies and procedures
You also must think about how you’re protecting your data overall, including while it’s in-transit and at rest. Additionally, it’s important to define retention periods for different types of data and investigate what types of data you’re currently holding.
- Change How You Think About Asset & Data Management
The focus on protecting private data has often been around asset life cycle management— making sure no assets leave your physically secure environment with data still on them end-of-life, i.e. a secure decommissioning process. Most businesses have this well under control, but if you don’t, it’s something you should consider to comply with data security best practices to avoid data breaches. However, GDPR goes far beyond managing your assets on this level.
Article 17 of the GDPR, also known as the ‘Right to Erasure’ or ‘Right to be Forgotten’ mandates that businesses must erase individuals’ personal information in several different scenarios, including when they ask for it to be wiped. And companies must do so without “undue delay.” Otherwise, they could face hefty penalties over time. Organizations must prove that compliance with this article is a top priority, producing certificates of erasure when requested by regulators.
It’s important to understand the difference between “delete,” “reformat,” “wipe” and other terms versus secure erasure. True data sanitization (which includes data erasure, verification and a full audit trail), ensures that sensitive data is gone forever. Data erasure should be performed at many different points in the data lifecycle and in various situations, including customer demand, equipment end-of-life, data migration and cloud exit, among others.
- Building GDPR-Readiness at Each Stage of the Data Lifecycle
The GDPR was born out of a history of cybercrime. After many years of high-profile data breaches, it’s clear we need regulations to protect individuals’ privacy. There are three foundations you should ensure are in place to ready your organization for the GDPR and potential data breaches. These include: physical security, technical security (hardware, software, real-time monitoring) and human security (the biggest threat; all employees must be trained on proper data security practices).
As an organization, you must understand all the assets and operations systems used by your organization. You need to be able to monitor and control these devices and their security policies. Having updated firewalls is one necessity, as is having endpoint security and encryption in place. Everyone in your organization must take responsibility for data—not only your IT department.
Make regular visits to where your data is stored, and continuously consider how your physical security is performing and could be improved. Monitor your network always, and keep up with the latest cyber threats, training your employees on data security practices on an ongoing basis. Having a hardware refresh program can also help, as can setting up a guest network for third-party companies as needed.
To learn more about GDPR readiness and strategies for compliance, be sure to watch the webinar on-demand (no personal details required!) at your convenience. If you have any lingering questions after doing so, be sure to contact Blancco or the other sponsors for answers in their areas of expertise. We look forward to hearing your feedback!