How to be GDPR Compliant (and Stay Compliant) – 4 Critical Steps
As it has passed the first anniversary of the General Data Protection Regulation (GDPR), you should have a good idea of how to be GDPR compliant, especially since the amnesty period is essentially over. As we come into the second year, the focus will be on whether those companies who have attested to compliance can maintain it. If your organization is asking how to be GDPR compliant, or how to remain compliant, this list of 4 tips will help.
Step 1 – Perform Data Mapping and Risk Analysis
The best first step to GDPR compliance is easy to explain, but challenging to complete for many organizations. You must know your data.
What personal data does your organization hold?
Is personal data sensitive or non-sensitive?
If the personal data is sensitive:
Why do you have it?
How/where did you get it?
How/where is it used?
How/where is it stored?
Who can access it?
How is it transported, processed and/or modified?
How do you secure it?
How is the erasure/destruction of data completed?
To best know your data, you should complete a data mapping and risk analysis exercise. This requires input from all aspects of an organization since data is often held or shared across groups or verticals. Consider not only obvious data sources, such as databases for software applications, but also sources of data that you may not think of as “personal data,” such as CCTV footage, front desk sign-in sheets, or biometric data. You must know your data’s “journey” through your organization, from the moment you obtain it to the day you destroy it. When determining the risk associated with sensitive personal data, ask yourself this simple question, “How concerned would I be if this information about me was released?” You can also take a Marie Kondo approach to personal data – if you do not need it, get rid of it. Nothing brings joy like lessening the burden and cost of storing and protecting sensitive personal data.To maintain GDPR compliance, an organization needs to complete this exercise whenever a change occurs to the data – new data is brought in, existing data is retired, data is paired together in a different way, processes for handling data change, etc. Reviews should be completed at least annually.
Step 2 – Do a Technology Map and Risk Assessment
Just as your organization needs to know its data, it must also know its technology. A review of the technologies (hardware, software, networks) used to obtain, collect, store, alter, erase, process and transport personal data is crucial to visualizing your data’s journey. These systems and their related processes must be properly configured, hardened, maintained and retired to ensure that personal data is properly handled under GDPR. Process mapping with a focus on technology and data is recommended for achieving that single view of your data and technology ecosystem and for meeting the Privacy by Design requirements of GDPR. These flowcharts allow you to see which systems are used with which data processes. This allows you to determine the best configuration for security controls. Be sure to include all relevant technologies from across the organization, even ones that may not seem as obvious – cameras, door access systems, firewalls, etc. Based on the first year of GDPR and the fines that have been issued, here are some specific technical issues you should address when placing controls around personal data:
Enable 2 Factor Authentication (2FA)/Multifactor Authentication (MFA), when available
Enable end-to-end encryption, when available
Enable strong password encryption
Have strong access controls (who can access what data) in place
Have a system for capturing and tracking user consent
Complete regular vulnerability scans and penetration testing of web sites, web applications and web services.
To maintain GDPR compliance, an organization needs to complete this exercise whenever a change occurs to technology – new technology is purchased and brought online, existing technology is retired, technology processes for handling data change, etc. Reviews should be completed at least annually here as well.
Step 3 – Identify and Document Data-related Business Processes
Your organization must have documented business processes related to the handling of personal data. More importantly, you must test these processes on a regular basis to be assured that they are optimized and meet the requirements of GDPR. Common data-related business processes an organization should document, test and keep up-to-date include:
Information Security Policy (ISP)
Incident Response Plan (IRP)
Business Continuity and Disaster Recovery Plan (BCDR)
Data Privacy Addendum (DPA)
Third-Party Vendors/Service Providers
Processes for the handling of GDPR individual rights requests (informed, access, rectification, erasure, restrict processing, data portability, objection and automated decision making and profiling restriction)
Process for data transfers