Up until now we covered two areas of the GDPR – who the GDPR applies to and what data security requirements it sets.
Here and now we're about to talk about the impact GDPR has on organization.
Each company should answer a at least a couple of important questions before the introduction of GDPR.
What Data Do You Own and Where Do You Keep It?
Analyze what sort of data your organization manages.
To have a clear picture of the situation, you need to identify what kind of personal data such as financial information, customer information, or marketing information you keep and where it's stored.
People outside the data company security industry don't actually understand that establishing and managing an inventory of structured and semi-structured data spread all over the organization manually is pretty hard, not to say impossible.
This entire process should be automated with the help of tools able to discover unknown data stores and identify personal and confidential data within the data structure based on pattern recognition techniques. Such an information has to be then classified and assigned a risk profile.
Who Can Access the Data and Can You Control It?
The most important requirement in terms of data is limiting the access to personal data. It can be done in a few ways, for example, using masking and data collection minimization. Even though these steps are highly recommended, there will always be users and applications that require full access to live personal data.
Providing them with access requires a couple of things in place:
- User access controls
- User rights management
- Activity monitoring.
Similarly to data inventories, it's good if these tasks are run by automated tools.
One of the most popular problems across companies is too excessive access to data. Tools powered by machine learning should be a great solution here.
What are the Responsibilities of Your Processors?
As a data controller cooperating with processors, you have to ensure that processors are able to protect data you manage in accordance to GDPR. It can be solved with appropriate contracts and technology limiting the movement of data.
It's particularly important in the light of data transfers outside the EU and to countries with appropriate protective measures required by the EU, for example Israel, Switzerland, Argentina and New Zealand.
The complete list of countries meeting these requirements has been published by the EU here.
Remote desktop session breaches the data transfer requirements if a person views the desktop from outside the EU, or outside other countries with protection mechanisms in place. To keep the data you manage under control, you need legal and technical controls.
In the fifth chapter of the GDPR, we read about the transfer of personal data originating in the EU to outside the EU or international organizations. Each organization that process any data from the EU has to ensure that data transfers are carried out according to adequate safeguards. Without such safeguards, data cannot be transferred.
And What About Transfers from the EU to the U.S.?
Here you have to answer one question: does your organization control data transfers to the U.S.?
Binding Corporate Rules (BCRs) and model contracts help specify the relationship between the controller and the processor. Some companies followed the regulations of Safe Harbor Framework that specified the legal basis for data transfers to the U.S. Once invalidated in 2015, it's been replaced by the EU-U.S. Privacy Shield Framework in 2016.
Created by the U.S. Department of Commerce and the European Commission, the Privacy Shield Framework provides companies with mechanisms to meet the protection requirements when it comes to data transfers from the EU. The framework has its own self-certification format and is open towards american organizations. Once eligible to comply with the framework, it enters into life through a public commitment via the Privacy Shield website.
There's an ongoing debate about the challenges the Privacy Shield Framework faces. Facebook, Google, Microsoft, Oracle and 1,750 other companies have already signed up for the EU-U.S. Privacy Shield with the approval from the European Commission.
Where Should You Start?
Preparing an organization for GDPR might seem overwhelming, however, it becomes a lot easier when you answer the above-mentioned questions.
In later stages, these answers will help you create a plan along the following steps:
- Analyze the data you're in possession of, where it's stored and its risk profile
- Review the flow of data and all access points
- Revise actual protection policies and procedures
- Conduct a gap analysis to the new requirements
- Review existing technologies, processes, contracts and resources to fill gaps
- Analyze your timeline prior to May 2018 and review rolled out elements
- These are just some general tips – the actual list of necessary steps is more comprehensive. Check our blog for more details about getting your organizations ready for GDPR.
How does Grey Wizard help to get ready for GDPR?
Grey Wizard decreases the risk of data leaks by protecting your infrastructure and internet environment against hacking attacks. Grey Wizard protects websites and web applications from data leaks.