4-step plan to help meet GDPR compliance
Ensuring your security posture is up to date and protecting your assets has never been more of a concern with the recent outbreaks of NotPetya and WannaCry. And while there are several measures you can take to protect yourself from a breach, one thing an organization should never ignore is compliance regulations within their industry.
That being said, let’s chat about the European General Data Protection Regulation (GDPR). The GDPR replaces the Data Protection Directive 95/46/EC and is designed to protect all EU citizens data privacy and reshape the way organizations approach data privacy. Enforcement of GDPR will begin May 25, 2018 and applies to all companies processing the personal data of citizens residing in the EU, regardless of the company’s location.
Just like many organizations prepare for compliance with Payment Card Industry Data Security Standard (PCI DSS), Health Information Portability Accountability Act (HIPAA), Graham Leach Bliley Act (GLBA) and National Institute Standards and Technology (NIST) 800-171, its time to evaluate your organization to see if you are doing all you can to meet conformance to GDPR.
On your way to compliance
I know, like many organizations, you’re probably short on skilled experts and busy maintaining your security posture to enable your business and defend against breaches. So to keep things simple, here’s a 4-step plan to get you started with conformance to GDPR.
Step 1: Talk to your legal counsel
Organizations should have a clear understanding of their legal obligations. Begin by having conversations with your legal counsel so that in the case of an unfortunate breach you know what your obligations are. Your counsel can also provide prescriptive guidance on how your organization needs to prepare for compliance with the GDPR.
Step 2: Know where your data resides
If your organization processes data about individuals in the context of selling goods or services to citizens in EU countries then you will need to comply with the GDPR and know where their data is on your network. Organizations should start by identifying and interviewing key stakeholders that have the following job responsibilities:
- Administrative control and have been officially designated as accountable for specific information asset datasets
- Technical control over an information asset dataset
- Responsible for the “content” of the data
These individuals should be able to clearly articulate the entire data management lifecycle that includes how data is created, stored, used, shared, archived and destroyed.
Step 3: Understand your current state of risk
Understanding your current state of risk both from a programmatic standpoint but also a technological standpoint are very important. Begin your GDPR assessment by conducting interviews and walkthroughs with relevant IT and compliance personnel in addition to other stakeholders who can clearly articulate your data management lifecycle.
Perform a gap analysis against generally accepted privacy principles as well as the GDPR requirements. A good place to start is utilizing one or more of the following NIST and best practice guidelines:
- FIPS PUB 200 Minimum Security Requirements for Federal Information and Information Systems
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
- NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems
- The UK’s National Cyber Security Centre 10 Steps to Cyber Security
- Cyber Essentials is a UK government-backed, industry supported scheme to help organizations protect themselves against common cyber attacks
- The General Data Protection Regulation Matchup Series by the International Association of Privacy Professionals (IAPP)
The results of this assessment might uncover a list of control gaps like deficient technical controls and missing policies, processes and procedures. The outcome of this assessment will allow you to build a roadmap with milestones that show the steps needed to become compliant with the GDPR. A list of artifacts will also be generated in case it’s ever needed to successfully pass a GDPR audit.
Step 4: Make a plan
This will take some time, but carefully planning out your remediation and roadmap efforts are critical. Items for this plan might include updating all relevant policies, procedures, standards, guidelines and incident response protocol. Time is also needed to evaluate your technical controls of endpoint protection, security information event management (SIEM), tuning NFGW’s and IPS. Or, maybe you even plan to implement new controls.
There also could be the need for an enterprise segmentation plan, which is not something that can be done with a flip of a switch. Segmentation can help your organization function as efficiently and as securely as it possibly can and help with GDPR compliance efforts.
If your organization is short on resources, World Wide Technology’s Global Security Practice is uniquely qualified to help organizations address GDPR readiness. Our expertise enables organizations to leverage state-of-the-art cybersecurity technologies to mitigate security risks while ensuring a holistic, strategic approach for true enterprise security management.
For help reaching GDPR compliance, reach out to your WWT Account Manager or contact us directly.