Well Ladies and Gentlemen, GDPR is finally upon us. I say finally because we have collectively been studying, reviewing, preparing and planning for this day for quite some time now. I know that not everyone is ready. And the European Commission equally knows that not everyone is ready. That is not an invitation to flaunt the rules however. In fact, I have pointed out before that there are indications that the European Commission will be keen on ensuring the regulation is taken seriously out of the gate.
If you find yourself among the minority that is “ready” I congratulate you, as data privacy will no longer stand still for any of us. And those who find themselves among the majority that is not ready, this is a good time to practice the principle of priority.
First, if for some reason this is the first time you are hearing about GDPR or more likely new to the world of compliance GDPR, short for General Data Protection Regulation, is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The General Data Protection Regulation covers all companies that deal with data of EU citizens. You can get a crash course on the topic by reading the many past blogs we have posted on the topic as well as watching the several webinars where we deep dive on the regulation.
“The Principle of Priority states (a) you must know the difference between what is urgent and what is important, and (b) you must do what’s important first.” -Steven Pressfield
To quote Steven Pressfield, author of The War of Art, “The Principle of Priority states (a) you must know the difference between what is urgent and what is important, and (b) you must do what’s important first.”
Of the 99 Articles contained within the regulation, I want to focus on the 5 important activities that you can prioritize right now.
#1 – Appoint a Data Protection Officer
Many organizations will be required to appoint a data protection officer (DPO) as a result of the GDPR. DPOs are to have formal responsibility for data protection compliance within the organization, but more importantly, if you are just beginning the process of coming into compliance you need someone to drive all related activities and be accountable for ensuring that your organization is within compliance.
The appointment of a DPO under the EU General Data Protection Regulation (GDPR) is only mandatory in three situations: when the organization is a public authority or body, or when the organization’s core activities consist of either:
- Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- Large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offenses.
There is no exemption for small and medium-sized enterprises (SMEs), which has been reaffirmed by the Information Commissioner’s Office (ICO).
#2 – Locate all EU citizen data throughout your systems
The ability to protect EU citizen data, account for its processing, or comply with the right to be forgotten rests entirely on your ability to know where all of the data exists. Put another way, how do you expect to demonstrate compliance of your processing activities or comply with a right to be forgotten request if you do not know everywhere the data exists? The answer is you can’t. A data discovery and classification program does not have to be daunting and with a narrowly defined scope, in this instance just EU citizen data, can be done well and right away.
#3 – Apply a least privilege model to all EU Citizen Data
One of the tenants of GDPR requires that organizations limit the risk of unlawful destruction, loss, alteration, unauthorized disclosure of, and most importantly, access to EU citizen data. Applying the principle of least privilege means granting a limited set of privileges; just enough privileges for users to get their jobs done, but no more than that. Because almost all of us will not be building new IT systems from scratch, this also means unravelling the years of access that users have accumulated and the many hidden ways access is over extended. Auditing your environment does not have to be a herculean task however, and in fact, with the right tools can be accomplished in a timely manner.
[UPCOMING WEBINAR] Automation – The Key to Achieving a Least Privilege Access Model Across Your Network File Shares – Register here.
#4 – Generate compliance artifacts surrounding all processing activities
Under GDPR, organizations must demonstrate accountability and transparency in all decisions regarding personal data processing activities. Accountability under the GDPR requires proper data subject consent acquisition. And transparency means you will have to demonstrate things such as who can access a data subject’s information as well as who has been accessing the information. Once we apply a least privilege model, demonstrating who has access becomes achievable; to demonstrate how that access is being used we need to add activity monitoring into our data protection program. Activity monitoring allows you to protect data from both malicious activity against data as well as unintentional acts.
#5 – Prepare for data subjects exercising their rights
A data subject’s rights have been expanded under the GDPR and now include the right to be forgotten, the right to data portability, and the right to be informed in case of a data breach. The right to be forgotten is the concept that individuals have the civil right to request that personal information be removed from an organizations systems – or more accurately, the right of erasure. With a data discovery and classification system in place, complying with this request becomes far easier. And just as importantly, being able to demonstrate that you can comply with the right to erasure is also necessary to chow compliance.
It is never too late to put a data protection program in place that addresses the requirements of GDPR, however, time is no longer on your side, so these are the 5 activities you must prioritize to avoid falling foul of the regulation and its harsh penalties. For more information on how STEALTHbits can help you meet the new GDPR requirements, please visit www.stealthbits.com/preparing-for-gdpr.
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.