The GDPR – 5 steps to start from
You know you need to make changes to your data protection processes. You’ve read, learnt and accepted your fate.You’ve even negotiated a budget and resources. So, what now? And how will you get it all done for May 2018 when the regulation becomes law?
If you too are feeling a little overwhelmed, we’ve prepared five simple steps to get you started:
When it comes to data, privacy and cyber security, your employees are the first line of defence. Make sure all of your employees are well aware of the new regulation and its key principles, as well as the threats the company is facing.
This includes tailored training for all employees, from security and management teams through your administrative department. One great solution would be to implement an Anti-Email Phishing program that uses an interactive approach and simulating real-world email phishing attacks to help prepare employees for the real thing.
Ask the following questions to map the information your company holds:
What data do we have?
Where is it held?
Who has access to it?
Are there any 3rd parties with access to this information?
This task can be incredibly tedious and often error prone. There are many tools on the market to help you out with this task.
Remember – As of May 2018, knowing what data you have will not only be a convenience, but rather your legal obligation.
Map the Data’s Journey
From the moment it arrives with the company until it is processed and saved, either by you (as a ‘data controller’) or by your ‘data processor’. Distinguish between the different types of information:
Information about your company – this might include information about your products, research and development, business practices and processes, employees, and the state of your finances
External information – customers’ information that is being controlled and processed. For the purpose of GDPR, you need to have a complete view of the ‘data journey’ – where it is stored, how it is processed, through which 3rd party companies has it passed, etc.
Data Protection Impact Assessment (DPIA) or a Gap Analysis
This is an assessment of your organisation’s current security level as well as its level of compliance with the regulation. This will help you identify and prioritise the key areas your organisation must address ahead of May 2018.
according to the results of the gap analysis, initiate a remediation plan with clear, prioritised tasks. This may include the implementation of various cyber security products, training programmes, subscription to threat intelligence feeds, conducting a risk assessment to your data processors, establishing an incident response plan and much more.
We recognize that preparing your organization to comply with the GDPR is no small feat. The above five items are a solid start, but you should also consider using the services of a single service provider to manage the entire operation from start to finish – from data mapping to the implementation of the remediation plan. In the case that you do choose to work with a service provider, be sure they have a deep familiarity with the regulation, turn-key capabilities and connections to the latest cutting-edge cyber technologies.