Increase Awareness

When it comes to data, privacy and cyber security, your employees are the first line of defence. Make sure all of your employees are well aware of the new regulation and its key principles, as well as the threats the company is facing. 

This includes tailored training for all employees, from security and management teams through your administrative department. One great solution would be to implement an Anti-Email Phishing program that uses an interactive approach and simulating real-world email phishing attacks to help prepare employees for the real thing.  

Data Mapping

Ask the following questions to map the information your company holds:

What data do we have?
Where is it held?
Who has access to it?
Are there any 3rd parties with access to this information? This task can be incredibly tedious and often error prone. There are many tools on the market to help you out with this task.  

Remember – As of May 2018, knowing what data you have will not only be a convenience, but rather your legal obligation. 

Map the Data’s Journey

From the moment it arrives with the company until it is processed and saved, either by you (as a ‘data controller’) or by your ‘data processor’.  Distinguish between the different types of information:

1.     Information about your company – this might include information about your products, research and development, business practices and processes, employees, and the state of your finances

2.     External information – customers’ information that is being controlled and processed. For the purpose of GDPR, you need to have a complete view of the ‘data journey’ – where it is stored, how it is processed, through which 3rd party companies has it passed, etc. 

Data Protection Impact

Assessment (DPIA) or a Gap Analysis 

This is an assessment of your organisation’s current security level as well as its level of compliance with the regulation. This will help you identify and prioritise the key areas your organisation must address ahead of May 2018.  

Remediation Plan

according to the results of the gap analysis, initiate a remediation plan with clear, prioritised tasks. This may include the implementation of various cyber security products, training programmes, subscription to threat intelligence feeds, conducting a risk assessment to your data processors, establishing an incident response plan and much more.

Final note

We recognize that preparing your organization to comply with the GDPR is no small feat. The above five items are a solid start, but you should also consider using the services of a single service provider to manage the entire operation from start to finish – from data mapping to the implementation of the remediation plan. In the case that you do choose to work with a service provider, be sure they have a deep familiarity with the regulation, turn-key capabilities and connections to the latest cutting-edge cyber technologies.

Good luck!