The EU General Data Protection Regulation (GDPR) deadline is in just over one week. On May 25, GDPR will dramatically change the way businesses process, store, and transmit EU citizen data, making 2018 a watershed year in the global battle over the future of our privacy. GDPR compliance, then, is on the mind of every business handling the data of EU citizens, regardless of where they’re located in the world.
GDPR’s impact expands far beyond the EU border. In response to GDPR, other regulations, and ethical concerns, businesses around the globe are strengthening their data privacy and security policies to empower citizens to become more involved in the handling of their personal information. This is timely in the wake of the Facebook data privacy scandal, which opened users’ eyes to how their data is actually being used.
Whether you are just beginning your journey to GDPR compliance or you’ve already solidified your program, here is a checklist of six steps that can help you develop and improve your GDPR data compliance program within the specific framework of cloud security.
#1: Appoint a Data Protection Officer
A data protection officer helps drive your organization’s vision for privacy and owns how you communicate and implement your new strategy. This role, mandated by Article 38 of GDPR, requires a robust knowledge of relevant GDPR data protection laws and the ability to implement and monitor an effective compliance program. There are major advantages for those qualified for the role, including relatively independent operation and access to high levels of management.
#2: Conduct a Data Assessment
There’s a common misconception that “what we can’t see won’t hurt us,” and it certainly doesn’t apply to GDPR. You need a bird’s-eye view of your sensitive data and the workflows associated with that data. Article 4 of GDPR defines “personal data” as any information related to an identified person. This broad definition may include names; ID numbers; location; online identifiers; and physical, genetic, economic, cultural, or social identities. A data assessment can help you picture where your data lie and gain control over its use — including connected cloud applications, third parties, shadow IT, and more.
#3: Protect Yourself Against Privileged Users
Once you have your data under control, you need to know who is accessing it. Seventy-four percent of employees have access to sensitive data, which makes them insider threats; many of these may be privileged users. Privileged users can access more information than the average employee, and therefore hold the keys to your business’ kingdom. This may include “personal data” as defined by GDPR. You should have controls in place to not only monitor user permissions, but also unusual behavior that could put you at risk of noncompliance, ensuring that only authorized persons have access to personal data per their role and aren’t abusing their permissions (Article 27 of GDPR).
#4: Monitor for Insider Threats and Breaches with Cloud Security
According to GDPR Article 33, you must be able to detect and report a data breach to the relevant supervisory authority within 72 hours of the occurrence. Considering that 60 percent of breaches are caused by insiders, it’s essential to monitor for insider threats. You can monitor for damaging behaviors that can lead to a breach, nipping malicious or careless behavior in the bud before a breach occurs.
#5: Prepare to Fulfill Data Privacy Rights
As you develop your program, keep in mind that you are required to fulfill upon six data privacy rights granted to EU citizens (regarded as data subjects) that give them control over their own personal information. For example, GDPR Article 17 gives subjects the right to have their personal data deleted under certain circumstances, while Article 20 grants subjects the right to obtain and reuse their personal data with other services. You should properly address your data’s availability and control in order to ensure that data subjects’ best interests are always in mind.
#6: Follow a Security Framework
Take GDPR as an opportunity to strengthen your compliance posture and showcase your security aptitude. Following a security framework like NIST, CIS, or ISO 27001 will help give you the structure to ensure the confidentiality, integrity, and availability of processing systems and services (Article 32 of GDPR), providing an excellent foundation for achieving GDPR’s technical requirements. It also helps you build the case for how you’re complying with GDPR. Ultimately, the goal shouldn’t be simple compliance with a law, but rather an overall culture of data privacy and ethics.
Preparing for GDPR: Creating a Culture of Compliance
GDPR is not a check-the-box regulation, but this last-minute checklist can help you build a solid foundation for your GDPR compliance program. Use this new era of security and privacy, where data subjects have more rights over the use of their information, as an opportunity to gain control of your data, streamline your workflow and security posture, and establish trust between you and your customers, partners, and affiliates.