On May 25, 2018, the EU General Data Protection Regulation will come into force.
GDPR is the brainchild of ENISA (the European Union Agency for Network and Information Security) to stem the increasing number of reported data breaches, especially those relating to online systems and services. In our blog of August 31 last year, we explained the various articles and implications of the new legislation.
Organization have not been idle and are moving rapidly from GDPR awareness to GDPR compliance in order to make sure that Personal Identifiable Information (PII) is kept secure. As the recent Cambridge Analytica-Facebook user data scandal illustrates, only comprehensive compliance can protect an organization against such fallout. Due to this scandal, GDPR and ePrivacy will gain even more momentum and credibility inside and outside the EU.
To be compliant, organizations are opting for various strategies to address multiple challenges to meet the deadline.
Working with 3rd party consultants
More and more organizations are looking at hiring their own in-house DPO. A Data Privacy Officer is responsible for overseeing data privacy compliance and managing the data protection risks for the organization. To meet GDPR requirements, the DPO could also be in charge of data privacy staff who execute GDPR compliance activities. Since DPOs and security experts are in high demand, working with third party consultants is a good option to get GDPR ready.
Changing their recruiting and hiring processes
GDPR compliance is already impacting the recruiting and hiring processes of organizations, including their methods to source potential candidates. So what are organizations so worried about? For one, maintaining full records of recruiting processing activities as well as determining when to get consent from candidates. Enterprises also struggle with the question how long they are allowed to store a candidate's personal data before deleting it or obtaining consent.
Organizations need to train their staff to be GDPR aware. Ideally, such a training encompasses:
- Identifying the key areas that needs to be improved which will give them insight into initiatives that address key business such as cutting costs, reducing the risk of data breaches and/or protecting and enhancing the corporate reputation.
- Using engaging training materials to inform and motivate their staff which will lead to long-term success.
Offering useful techniques for ensuring long-term compliance.
- Regular staff training as part of an ongoing process to reinforce data protection vis-à-vis incidents.
Performing a gap analysis
To check where they stand, enterprises conduct a gap analysis to check:
- The roadmap and framework for accountability to assure that clear policies and procedures are in place for monitoring, reviewing and assessing the data processing systems to safeguard the checks and balances.
- Implementing privacy by design to demonstrate compliance and create competitive advantage. This will assure that both staff and stakeholders will understand their responsibilities and obligations and take ownership.
- Data protection integrated in all processes, services and / or products ready for delivery with a structured and systematic assessment and validation for data subject consent.
- Since GDPR imposes direct obligations on processors, these need to be integrated and embedded in the policies, procedures and contracts. This means that stakeholders and customers require documentation that the services are compatible with enhanced GDPR regulation requirements.
- Data subjects can exercise their rights to data portability and erasure. They can withdraw their consent for storing and processing data.
- Cross-border data transfers include intra-group transfers that require consent to ensure a legitimate basis for transferring personal data to multi-jurisdictions. Although not new, failure to comply will now be subject to heavy fines under the GDPR.
- Being prepared for data security breaches is crucial. Organizations must have comprehensive policies and procedures in place to ensure that they can react quickly and efficiently to any data breach and notify stakeholders in a timely manner to avoid repercussions.
Purchasing security services and solutions
Needless to say, organizations need to invest in the latest and greatest best-of-breed security services and solutions to protect the data whether it is PII or business confidential. But even the most advanced and sophisticated solutions have a hard time staying ahead of the latest cybercrime ploys which could impact GDPR compliance. There are two aspects to the problem. Firstly, organizations need to check how resilient and compliant their current data security is. Secondly, they need to find a way to verify the resiliency and compliance of data security on an ongoing basis. This requires that there is a process in place for ad hoc and scheduled testing, assessing and evaluating of the effectiveness of the organization’s security measures for data security compliance.
To help with this issue, Cymulate’s BAS platform will assess an organization’s security posture at any time to check of it truly complies with the upcoming GDPR. To find out more, sign up for Cymulate’s FREE assessment without any obligation. Check yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so your organization will be GDPR compliant.