In a recent post on the upcoming General Data Protection Regulation (GDPR) we explored the basics of the new European Union legislation and what makes this framework unique. We discussed the goals of this reform, to whom the regulations will apply and the penalties for non-compliance. In this post, we will cover the steps your organization should take to ensure that when May 25, 2018 arrives, you will be compliant.
Steps to Prepare for GDPRAs mentioned, no matter where your organization is located, if you hold or process information on EU citizens, the GDPR and its fines apply to you. With less than a year to go, the reality is many organizations have still not developed their plan to become compliant. This is a worrying trend as GDPR is highly nuanced and much planning is needed to ensure that every aspect of your data collection, processing, and storage meets requirements. To ensure that you are not among those caught off-guard, we strongly recommend the following steps:
Determine Your Organization’s ObligationsUnder GDPR, organizations are either:
- Data Controllers, which are the organizations that decide what data to collect and how it will be used. They are responsible for ensuring the transparency, accuracy, and confidentiality of any and all EU-citizen data they collect.
- Data Processors, which are the organizations that process or store data on behalf of the data controller.
Hire a Data Protection Officer (DPO)Once you understand your organizational responsibility, you must appoint a specific person to the role of DPO. Their job is to keep all employees aware and on top of compliance requirements as well as conduct employee GDPR training and audits. They will also be the point of contact between the GDPR authorities and your organization, and will be in charge of outlining how GDPR applies specifically to your organization. So, finding a competent DPO is a critical first step. (Note: this is only mandatory in organizations with over 250 employees but it’s highly recommended even in smaller organizations.)
Create a GDPR Data DiaryAs part of the process of becoming GDPR compliant, organizations must document their progress, the data they hold, how it’s processed and how it’s accessed. These records help ensure accountability and adherence to guidelines. Each EU country will have its own Data Protection Association supervisory board that will use these records to decide whether or not a breach has occurred.
Understand and Map Your Data and ProcessesTake a look at the data your organization collects or processes and get a full understanding of who has access to what data, how it flows, where it’s stored and backed up, as well as all access points. Become aware of where you may be vulnerable and make sure to have this all clearly documented.
Brace Your Organization for Requests from Data SubjectsAs discussed in the last post, GDPR extends expanded rights to citizens where their data is concerned. Data subjects will be granted the rights to ask to have their information deleted entirely when no longer in use for its specified purpose, to transfer their data, to restrict collected information and to remain informed before any data is collected. Furthermore, you must be able to fulfill requests in a timely manner or face severe penalties.
Comprehensive Backup and Disaster Recovery – A Cornerstone of GDPRNow, thanks to GDPR, how you store and retrieve data has become more critical than ever. Therefore, any storage solution must be simple to access and manage as data retrieval and recovery must be easy and efficient. N2WS’s Cloud Protection Manager gives you all the tools you need to ensure your organization meets GDPR requirements with ease, including:
- Data protection by design: To ensure that personal data is protected against misuse at every stage of its lifecycle.
- Integrity and availability: To allow you to restore access to personal data quickly following an outage or failure.
- Accountability: To provide comprehensive log and provide audit trails for all data consents, requests, and remedial actions.