With just over two months until the Global Data Protection Regulation comes into force it is time for businesses to conduct an urgent review of their preparations. After all, the potential fines for non-compliance cannot be ignored.
Here are three key areas where your IT team must be up-to-speed before May 25th.
1. People, Processes and Technology
GDPR has – mistakenly – been identified as an “IT issue”. Data storage and retention is an IT function, but GDPR applies to any employee handling customer data.
Obviously your internal review must look at IT safeguards (firewalls, encryption, anonymization). Do not assume that is the end of the exercise however. There are two other potential weak points in your defences – people and processes.
First, assess the way that personal data is handled as it moves around your business. Is too much information made available internally? Are people circumventing approved data storage and transfer mechanisms, like emailing sensitive data to third parties? You will need to tighten processes to reduce the risk of employees “breaking the rules”.
You must also conduct an urgent education program to help employees realise they have a very important role in data protection. Help them understand that “restrictive” processes exist to protect customers, the business and, ultimately, the end user themselves.
2. Audit everything
Despite the GDPR having been ratified by the European Commission in April 2016, there are still no definitive standards in place. Despite this lack of guidance, CIOs and CTOs must be able to demonstrate adherence to the general principles of protecting personal data.
In the event of a data protection investigation, your business must be able to demonstrate the safeguards in place – and how effective they are. By auditing data operations – particularly changes to workflows and security systems – you will be able to “prove” attempts at compliance. In many ways, this process is exactly the same as the obligation to keep PCI DSS documentation up-to-date and fully accurate.
GDPR makes similar demands; you must document your processes related to personal information. And just like PCI DSS, this documentation needs to be kept up-to-date. The disciplines and processes involved in PCI DSS audits will translate directly to your GDPR obligations..
3. Develop a “security by design” mindset
Data protection under GDPR and PCI DSS is a moving target – the job is never done. Your IT team will need to develop a culture of constant improvement, actively looking for ways to strengthen safeguards and processes.
Importantly, Article 25 of the GDPR calls for “data protection by design and by default”. Every activity your business undertakes should first consider the personal data that may be affected, and how that information will be protected. Only after these concerns are addressed can you move a project forward.
Without this focus on security first, complacency will quickly set in. Should this happen, vulnerabilities will creep through unnoticed until exploited by a hacker. You will also be failing to meet your obligations under PCI DSS – and the GDPR once it comes into force.
Get help. Now
With a matter of weeks until the GDPR comes into force, there is no time to waste in re-checking the readiness of your organisation. To ensure you are prepared, consider partnering with a compliance expert like Advantio who can apply their knowledge, experience and skills to better protecting customers’ personal data.