The General Data Protection Regulation—known to the world as GDPR— goes into effect in the European Union (EU) on May 25. This regulation constitutes a data privacy revolution; it affects any enterprise that collects and stores information on EU citizens even if the enterprise is not based in the EU. Failing to meet GDPR compliance can result in staggering fines: 20 million Euros ($23.5 million in U.S. dollars) or 4% of annual global sales, whatever is greater, for a violation. Attention must be paid.
Yet attention to this critical law seems to be in short supply. Only a third of EU enterprises say they are in line with or on their way to GDPR compliance, and only half of affected U.S.enterprises say the same.
What should enterprises do to prepare for GDPR compliance? What are the first steps?
Know the Data Your Enterprise Collects
Following GDPR compliance guidelines will your require your enterprise to do a little self-examination; specifically, self-examination on what kinds of data your enterprise collects and how that data is stored.
This may seem simple on the surface, but it can be a much more labor-intensive process that it appears. Enterprises of even middling size can have hundreds of applications storing user data, many of which may pass by unnoticed. Thus it is vital to thoroughly examine your enterprise’s IT environment and secure any potentially leaky data storage problems.
GDPR compliance mandates also set limitations about how long user data can be stored, so this should be seen as an opportunity to evaluate your data storage policies and outline risk mitigation policies.
Finally, it is vital to remember that you are responsible for the data collection and storage practices of your enterprise’s partners and vendors. If they aren’t in compliance, neither are you. This may be a good time to evaluate your contracts, examine what data is leaving your enterprise, and inquire into your partners’ data policies to avoid the heavy price of a compliance failure.
Establish a GDPR Compliance Command Chain
Quick! Who’s in charge of GDPR compliance at your enterprise? How will a violation be handled? If a breach occurs, what is the chain of communication within your enterprise?
If you don’t know the answer immediately, that is a major problem. GDPR compliance requires that an enterprise notifies all affected parties of a breach within 72 hours of discovery. That’s not a lot of time, and can be a real constraint if your interdepartmental communications are confused.
GDPR compliance outlines that the data controller, the data processor, and the data protection officer are the roles most responsible for fulfilling the mandates. These jobs often overlap in their duties:
- The data controller handles the processing of users’ data, the purposes for processing data, and ensuring third-party compliance.
- The data processor, which can be an internal or external entity, maintains and process users’ data. GDPR states they will be the most liable for a compliance violation.
- The data protection officer conducts the oversight of their enterprise’s data security strategies and GDPR compliance. A data protection officer is mandatory if the enterprise handles a large amount of EU citizens’ data.
Know Your Users’ Rights
GDPR compliance protects not only basic identity information but also web data like IPS address, health data, biometric data, and political opinions. It also ensures customers’ and users’ right to be forgotten, also called the right to erasure. Essentially, enterprises’ must delete all of an individual’s identity data forever if requested. Individuals must give their consent to how their identity data is used, and can rescind that consent at virtually any time.
Partner enterprises can also make a right to erasure request, and the right to erasure is automatically invoked at the end of a service agreement. There are some exceptions concerning the right to be forgotten, but they are rare. Check if any apply to your enterprise.
Furthermore, users’ data can only be used for authorized purposes and enterprises must make an effort minimize the exposure of identities.
Be Prepared for Ongoing Assessments
GDPR compliance, like so much in data privacy and cybersecurity, is not a set-it and forget-it affair. Your enterprise must be prepared to continually evaluate and monitor for compliance hiccups or areas of improvements. Consider how you will incentivize GDPR compliance in your workforce and be prepared to monitor employees for poor data privacy behavior. There’s a lot at stake for failing to comply.
If you’d like to know more about how to prepare your enterprise for GDPR compliance, you can download the free Best Practices and Essential Tools for GDPR Compliance webinar from SIEM vendor AlienVault, available here.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021