There is still time until 2018, but have you sketched a game plan yet? The General Data Protection (GDPR) regulation makes a big statement about individuals’ private data and their right to request data controllers and processors to delete, correct, and forward their data. In consequence, GDPR comes with significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organizations. So, if you haven’t started to prepare for the new regulation, you better start today.
Let’s see how the game plan would look like in order to maximize your chances of getting to the finish line without spending too many resources.
1. Make sure key people are aware of the changes
Chief Security Officers, IT Managers, CEOs, business unit managers, etc. have to be informed of the legal changes the GDPR imposes and should make sure they translate them into plain, simple measures to apply in order to respect this regulation. The clearer the objectives are, the sooner everyone will understand what their role is and act accordingly.
2. Conduct an audit to understand what’s your current state
To be able to apply the enhanced, stricter rules, organizations should perform an audit to their current data security solutions and processes implementation and build upon it. The audit should reveal what data is collected from individuals, if there are proper consent procedures, where are private details stored, who has access to them, how is the integrity of private data ensured, etc. Based on the discovered pieces of information, a solid plan for upgrading to the new regulation can be outlined and shared with all involved parties.
3. Execution is the real game
The strategy is worth nothing without a disciplined execution. Knowing what data security and management solutions have to be selected and implemented to ensure compliance and security is not as easy as it would seem. There are numerous factors that weigh in and the human factor is the most complex. A simple example would be the Data Protection Officer that has to be appointed. Companies have a tough decision to make, considering the level of responsibility assigned to a DPO. The officer has to make sure that data protection compliance is met, so his / her role is crucial and difficult, having to deal with employees’ on one side and departments’ managers on the other side.
Also difficult to execute is the article referring to the cross-borders transfers which extend farther than physical borders where the headquarter or branches of a company are. A company operating in Germany can have customers in France, USA or any other country. This comes with a big responsibility in what concerns individuals’ data security. The GDPR will apply to the processing of personal data of individuals residing in the EU, even if the controller or processor is not located in the EU. So, if your business is not in the European Union, you can still be subject to this regulation.
A real game-changer will be the ‘data protection by design and by default’ principle. This will require services or products to include privacy and security features from the very beginning of concept and development. That should be interesting especially for mobile app developers and the IoT sector. The new regulation will be a great motivator for vendors to align data security with innovation and build not only ingenious products but also secure products.
How can Endpoint Protector ensure compliance with GDPR
From planning to execution, software accompanied by the intervention of key people’s insights helps businesses to efficiently apply the necessary changes for the readiness with the new regulation. So, how can we help specifically with our DLP solution in your quest to become compliant with GDPR?
-
Audit
An important part of the audit is covered by Endpoint Protector Data Loss Prevention. In the initial phases of the DLP implementation, IT Administrators can set the policies on report only, so data that is being transferred outside the company is being tracked and reported. Businesses can get valuable insights about what users are transferring unauthorized data, like personally identifiable information, credit card numbers, social security numbers, and other sensitive information. Additionally, the exit points can be flagged for monitoring, to detect exactly where the confidential data goes – on cloud apps, by e-mail, on portable storage devices, on webmail, etc. The most active users when it comes to data transfers and devices connections can be discovered and based on this information together with data gathered from audit software can paint a picture on the actual situation before moving forward with operational changes for compliance.
-
Execution
Once the audit is finalized, organizations have to strengthen security and address the vulnerabilities. Endpoint Protector monitoring policies can be converted into restrictive policies, blocking unwanted file transfers, unauthorized data copied/pasted, screen captures, etc. and all of this depending on the various transfer channels and the users, computers, groups that are part of the organizational structure. Since individuals’ private data is so crucial to protect according to the updated regulation, it can be secured against leakages and theft with the content filtering capabilities available in Endpoint Protector DLP.Our solution can also help in the cross-border data transfers. Organizations are prohibited from transferring personal data to recipients outside the EEA, unless the region of destination provides an adequate level of data protection (deemed by the European Commission), or unless there are other circumstances set also by the European Commission.
This scenario applies to companies using online IT services, multinational companies with several establishments in the EU Member States, cloud-based services, remote access services, and other similar business models. Endpoint Protector can detect and block data transfers to solutions with data centers located in countries outside the EU (e.g. Dropbox) or, in case those countries fit in the adequacy level of data protection, data transfers can be allowed. It all comes down to the control you get for sensitive data movement. Another helpful aspect is Endpoint Protector architecture that allows the management of the administration console from one country and the computers being managed for DLP in another country. This flexibility makes tracking and blocking of data transfers achievable regardless of the business location, so multi-establishment organizations can implement one solution for all their offices.
The General Data Protection Regulation can cause serious headaches until full compliance is achieved, but after that milestone, organizations will be able to see how the benefits outweigh the efforts. Entering new markets in Europe will be easier for businesses because the data protection regulation will be the same as in their home country. The European Commission exemplifies in a press release how companies can cut costs thanks to the reform.
Example: Cutting costs
A chain of shops has its head office in France and franchised shops in 14 other EU countries. Each shop collects data relating to clients and transfers it to the head office in France for further processing.
With the current rules: France’s data protection laws would apply to the processing done by head office, but individual shops would still have to report to their national data protection authority, to confirm they were processing data in accordance with national laws in the country where they were located. This means the company’s head office would have to consult local lawyers for all its branches to ensure compliance with the law. The total costs arising from reporting requirements in all countries could be over €12,000.
With the Data Protection Reform:
The data protection law across all 14 EU countries will be the same – one European Union – one law. This will eliminate the need to consult with local lawyers to ensure local compliance for the franchised shops. The result is direct cost savings and legal certainty.
Source: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
To sum up, if you haven’t started working on GDPR compliance, awareness across business units is the first thing to achieve, followed by a sound audit and a great execution. Choose carefully what software can help you in each stage of the process and always complement software implementation with the particularities of your organization, the legal framework and the human factor.
UPDATE:
We have also put together a useful guideline for all organizations and companies on how to prepare for the new GDPR regulation and what changes they need to make in order to become compliant. In the white paper, you can find information about:
- What is GDPR
- GDPR readiness
- Key articles and how they impact businesses
- Penalties
- Cornerstones in the process of becoming GDPR compliant
- How Endpoint Protector solutions help businesses to get faster to GDPR compliance
- Compliance with GDPR cuts costs
Download the white paper here.
You might also find interesting our: GDPR Infographic – Checklist and essentials
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
