This post first appeared on Risk Management Magazine. Read the original article.
The European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on May 25, applies to every company that offers goods or services to the EU or monitors the behavior of individuals within the EU. The aim of the GDPR is to ensure that an individual’s personal data is stored with consent, for a specific purpose and for a reasonable duration of time. Failure to comply with the regulation’s requirements could result in fines of up to €20 million or 4% of the offending company’s annual global revenue, whichever is higher.
The GDPR may require a lot of changes for companies that collect, process or store data on any EU citizens. By May 25, companies must address issues like:
- Privacy and security by design
- Privacy impact assessments
- Inventories and data-mapping of personal information across all business systems
- The appointment of a data protection officer (DPO)
- Evidence to demonstrate reasonable efforts put forth
Ensuring GDPR compliance requires a concerted effort across an organization’s entire executive team as the data protection officer must work with C-level executives and other senior leadership to properly identify and map out data inventories and processes, perform risk assessments, and conduct gap analyses. These additional projects can be costly and time-intensive tasks that often require additional resources.
Preparing for a significant security compliance change can be overwhelming. The most efficient way to achieve GDPR compliance is through interdepartmental collaboration and the use of technology solutions that automate and validate business needs such as policy compliance, data security and required reporting. As the deadline looms, most organizations should already have started assessing the business impact, devising a company-wide implementation plan and addressing additional resource needs. Every GDPR implementation plan should include the following six steps:
1. Raise awareness enterprise-wide
The first step is to raise awareness of the GDPR at all levels of your organization. Develop recordkeeping and monitor best practices, engage in ongoing training outlining breach scenarios and causes, and create a culture of security across the entire organization. Ensure that employees not only understand the impact of these new regulations, but that they feel comfortable raising alerts—and know who to go to—if there is cause for concern.
2. Designate a data protection officer
The GDPR outlines specific organizations that must formally designate a DPO, including public authorities (except for courts) and private organizations where the core activities consist of processing operations that require regular and systematic monitoring of personal information on a large scale or large-scale processing of sensitive data or data relating to criminal convictions or offenses. EU or member-state law may require the designation of DPOs in other situations as well.
3. Create a data inventory
In order to understand the risks associated with how information is processed, stored and transferred, an organization must fully understand the data it collects and processes. Once a detailed inventory list of data types has been created, each data set should be mapped end-to-end throughout the organization’s technology infrastructure to identify all physical and virtual places where data is held. This includes customers, employees, and third-party suppliers or vendors. Distribute these lists to internal departments and stakeholders to ensure that all data types and storage locations have been identified.
4. Evaluate risk and perform gap analysis
Next, you will need to take your inventory of data and processes and compare it to the GDPR requirements. Be sure to include third-party suppliers and vendors. Where are the gaps in compliance? Are there areas at risk of non-compliance in the future? What are the most immediate needs the company must satisfy in order to move toward GDPR compliance?
5. Develop a roadmap
Once you have identified all potential GDPR compliance gaps, your organization should develop a roadmap outlining required changes to processes and systems to conform with GDPR requirements. Some of these changes may result in the tightening of existing controls, while others may require that entirely new controls and processes be developed.
6. Monitor and report progress and compliance
The GDPR regulations require “security by design,” which mandates that all IT professionals build compliance into the design of future business operations that capture, process or store data. The data protection officer should work with all necessary business and IT teams to ensure that operational systems and data management workflows remain compliant and stay up-to-date with any GDPR announcements or changes.