Ready or not, General Data Protection Regulation (GDPR) becomes law on May 25th, 2018, and failure to comply could cost your company millions. If you think this only affects the security and IT ops teams in the EU, think again. GDPR will have global business impact and it will affect your organization if you plan to scale globally, have customers in Europe or want to compete internationally.
Think of GDPR compliance as a program—not a project. Here are five steps to ensure GDPR compliance in your organization.
Step #1: EXECUTIVE AWARENESS
As stated before, GDPR affects your business. It’s not simply a security issue. If your organization wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).
Step #2: PRIVACY OFFICE
Once you have the executive team on board—with funding and full commitment—it’s time to organize your privacy office. This should really be a full network; your entire organization should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.
Step #3: MAP PROTECTED DATA
Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it classified? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?
STEP #4: OPERATIONAL IMPLEMENTATION
It’s time to build and customize your company’s processes and Incident Response Process (which has to happen within 72 hours under GDPR). Your DPO should also assess your third party vendor risks at this time. Be thorough.
STEP #5: AWARENESS AND TRAINING (REPEAT)
Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR readiness.
Continuous compliance, detailed mapping and auditing of the “why” and “how” of your customer’s PII and data, and setting up a strong privacy team with a Data Protection Officer who knows the importance of getting buy-in from the board will keep your company compliant.
Don’t take chances. Security is not a game. Watch Pluralsight’s own Head of Information Security, Trenton Bond’s, full webinar on GDPR here.