The General Data Protection Regulation (GDPR) impacts every business in the European Union(EU) or doing business in the EU even if their headquarters are outside EU borders. The GDPR enforcement starts May 2018, giving ample time for enterprises to plan and implement needed controls.
With the help from one of our security partners, Imperva, below is a suggested framework with milestones to help organizations ready themselves to be compliant by May 25th, 2018. If you are starting some of these less than a year out, the time frame can be adjusted as needed.
Stage 1: 0-6 months
1. Discovery process and inventory of known and unknown data repositories and sensitive data
2. Analyze data flow and touch points including sub-processors
3. Inventory current policy and procedures
4. Develop the breach discovery, response, and notification requirements for the following:
- data monitoring
- alerts and investigation process
- discovery and immediate containment
- assessment of loss and ongoing risk
- Incident response and investigation
- notification of breach
- post event evaluation and response
- draft the Data Protection Impact Assessment report
Stage 2: 6-12 months
1. Perform inventory and gap analysis of data security and compliance technology
- Evaluate and select monitoring, minimization and encryption technology
- Privacy by design
- Perform Privacy Impact Assessments (PIAs)
2. Define Data Protection officer (DPO) role and responsibilities
- Alert the organization to any risks that might arise with regard to personal data
- Monitor the activities of all data controllers within the DPO’s corporate group
- Periodic checks to ensure that the organization’s security measures remain appropriate and up to date – facilitate audits and investigations
- Provide guidelines to the Board of Directors as well as all members of staff
- Update permissions collections process
- Negotiate with 3rd party processors
- Evaluate USA data transfers requirements
Stage 3: 12-24 months
- Phased implementation of data security and compliance technologies
- Compliance audits and reporting
- Hire DPO
- Rollout new P&P
- Test
- Training
- Verify and validate (Certification)
The above items represent the key milestones for each stage that can help achieve GDPR compliance and avoid hefty fines. Keep in mind early certification can give your company the competitive advantage and will help bolster your brand image relative to the laggards.
If you missed the first post in our four-part series of GDPR readiness posts, here is the link. It covers some of the basics including who’s subject to GDPR guidelines.
For a free GDPR data security consultation, contact one of our security experts here.