Secure Your Data and Become GDPR Compliant
March 28, 2018
May 25, 2018 marks the GDPR compliance deadline. The day every organization conducting business in the EU (even those not located in the EU) must adhere to the regulation on the protection of user data. Organizations found not in compliance will face fines up to $20 million, or 4% of global turnover, whichever number is higher. With mere months before deadline day, many organizations are scrambling to determine what needs to be done to achieve compliance. But where to begin?
As a first step, organizations should be aware of the changes in the law and the impact these changes will have on their business. Before we cover the steps to prepare your data for GDPR compliance, let’s review the basics.
WHAT IS GDPR?
GDPR stands for General Data Protection Regulation. The bill consists of 173 ‘Recitals’ which describe the intended results and achievements, and 99 ‘Articles’ describing the precise rules. Some of the key mandates include:
- Simplifying the consent for personal data use process; it must be as easy to withdraw information as it is to give it
- 72-hour reporting window for data breaches
- Data subjects (those that have given their personal data) can obtain their information from data controllers (organizations like yours) for free within 1 month of the request.
- Data protection must be built into the design of new systems from the onset.
- Organizations larger than 250 employees must appoint a professionally qualified data security officers.
Essentially, if your organization deals with PII data of European Union citizens, the EU is holding you accountable.
WHY DOES GDPR EXIST?
GDPR came about as an update to the 1995 Data Protection Directive and is in response to the increasing and ever-evolving security threats and attacks. Unfortunately, these attacks are becoming more frequent and show no signs of slowing down. 2017 gave us some of Cybercrime’s Greatest Hits.
- Bad Rabbit
- June 2017 Voter Record Exposure
- 2016 Uber data leak (57 million accounts)
- 2016 big reveal that 3 billion Yahoo accounts were hacked in 2013
And the list goes on and on…
HOW DO WE GET GDPR COMPLIANT?
Once you’ve made sure key people in your organization understand the law, it’s time to take action. While the road to GDPR compliance may seem daunting, the good news is that it is not as scary as it sounds. Let’s break it down into three main phases:
- Discovery: Identify what personal data you have and where it lives. From this discovery, you should be able to determine what you’re currently doing to managing and access your data.
- Gap Analysis: Compare your current security program to the GDPR security best practices described in the descriptions above. This will shed light on areas where risks are lurking so you can focus your attention on what matters most.
- Roadmap: This is where you begin to define how you’ll transition from your current state to the next level of protection. Outline which controls need updates based on your gap analysis and establish what technology, activities, and relative effort will be required to improve each element. Planning this out ahead of time will ensure you’re in compliance before the cutoff. Additionally, establish ongoing reporting on the data you have, the requests for that data, and the protocols you will need to manage ongoing risks and requirements based on the new laws.
If you’re like most midsize organizations, you may not have the internal resources to perform the steps outlined above. The good news is BDO Digital can help. We’ve been studying GDPR since it was first announced and have already helped numerous organizations get GDPR compliant. Let us bring you out of the wilderness and into the promised land before the clock strikes midnight on the GDPR compliance date. Contact us for more information on how to secure your most valuable assets.