GDPR Compliance Checklist
With 2017 coming to an end, the clock is ticking closer to the implementation of the EU’s new General Data Protection Regulation (GDPR) on May 25th 2018. While interest in issues of compliance surrounding the dreaded new legislation has soared in recent months, a great number of companies have yet to take concrete measures to ensure their businesses are up to the new standards before the deadline.
So what does it take to start your journey to compliance? Here is a short compliance check to get you started!
Whether your company is located within the European Union or outside it, you are required to comply with all requirements of the GDPR if any of your customers are EU data subjects. You must also bear in mind that the GDPR restricts cross-border data transfer outside the EU. For free data flow to occur cross-border, a third country must be deemed to have an adequate level of data protection by the European Commission. A list of the countries already confirmed as adequate can be found here.
The GDPR requires all businesses that process personal information of EU data subjects on a large scale to follow all requirements of the new legislation. It is also mandatory for them to appoint a data protection officer.
If you process the personal data of any EU data subjects you are still required to follow the security requirements of the GDPR in article 30 as well as a large number of the other points set out in the legislation. The good news is you can forgo the appointment of a data protection officer.
Knowing where your sensitive data is and who has access to it is essential to build effective data protection policies. Data Loss Prevention solutions such as Endpoint Protector can help you to both monitor the itinerary personal data takes within your network, but also to take measures such as encryption, deletion or blocking based on the results.
You should ensure that all data that is being transferred outside the network via portable devices, including USBs is encrypted. Due to their size, USBs in particularly are easy to forget or steal, but are nonetheless the preferred data transfer method on the go. Encryption solutions can prevent any potential data leaks by encrypting all data that is being transferred to USBs. This can be done automatically as the solution can be deployed by admins to any endpoint in a company network, thus eliminating potential employee negligence from the equation.
It is important for companies to formulate clear data protection policies within the work place, but it is even more important for them to educate employees about them. Sending around emails to simply announce them may prove ineffective and dangerous to data security. Much like work health and safety regulations, data protection regulations training under the GDPR will become just as important to a company’s good functioning.
One of the major changes brought about by the GDPR is the need for companies to take responsibility for the security of EU citizens’ data. Under the new regulation, they become financially liable in the eyes of the law in case of a major data breach. At company level, this means that a streamlined incident response plan must be put in place that can quickly and effectively curb the level of exposure.
It must be easy to implement once an incident is discovered, be able to establish its source and the timeline of events that lead up to it and contain it. It must accurately be able to assess the impact of the breach and whether sensitive data pertaining to EU citizens was compromised and the incident needs to be reported to a National Data Protection Agency. An effective response plan can minimize data loss and save companies considerable sums of money in fines.
Once a breach has occurred, companies are obligated under the GDPR to report it to their National Data Protection Agencies within 72 hours that they become aware of it, without undue delay. While authorities do not expect businesses to be able to contain a breach and discover all details concerning it within that time frame, they must submit as much information as possible.
After the breach is notified, the agency in charge will decide whether a fine has to be applied and what sum. This is when companies must prove that they have taken reasonable measures to prevent data breaches from occurring. It is therefore important that companies take the ideas of privacy by design and default seriously and begin to built-in security into their networks and processes from the get-go.
While both cybersecurity and policy experts are still debating the finer points of the GDPR and what they will mean for companies processing EU citizen data, one thing is clear: companies can no longer afford to turn a blind eye to data security and must make it a priority if they are to stay off the radar of Data Protection Agencies. With major cyberattacks aimed at sensitive data taking place every day, 2018 is going to be the year when regulators will take a stand by making data protection mandatory by law and permanently changing the way companies look at data security.
You might also find interesting our: GDPR Infographic – Checklist and essentials