The General Data Protection Regulation (GDPR) is one of the hottest topics in IT security around the globe. The European Union (EU) regulation gives people more say over what companies can do with their data, while making data protection rules more or less identical throughout the EU. Although this regulation originated in the EU, its impact is global; any organization that does business using EU citizens’ data must be compliant.
With the May 2018 deadline looming, IT security professionals worldwide are scrambling to ensure they’re ready (and avoid the strict fines for non-compliance and security breaches). In the video below, Sumo Logic VP of Security and Compliance George Gerchow offers three ways to get you GDPR-ready in no time.
1. Establish a Privacy Program
Establishing a privacy program allows you to set a baseline for privacy standards. Once you have a privacy program in place, when new regulations like GDPR are released, all you have to do is fill in the gaps between where you are and where you need to be.
2. Designate a Data Protection Officer
This is a critical part of complying with GDPR—and a great way to build sound data security principles into your organization.
Under the GDPR requirements, the Data Protection Officer:
- Must report directly to the highest level of management
- Can be a staff member or an external service provider
- Must be appointed on the basis of professional qualities, particularly expert knowledge on data protection law and practices
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must not carry out any other tasks that could result in a conflict of interest
3. Take Inventory of Customer Data and Protections
Before GDPR compliance becomes mandatory, take a thorough inventory of where your customer data is housed and how it is protected. Make sure you understand the journey of customer data from start to finish.
Keep in mind that the data is only as secure as the systems you use to manage it. As you dissect the flow of data, take note of critical systems that the data depends upon. Make sure the data is secured at every step using proper methodologies like encryption.
Bonus Tip: Arrange Third-Party GDPR Validation
Between now and May 2018, you still start to see contracts coming through that ask if you are GDPR-compliant. When the deadline rolls around, there will be two groups of organizations out there:
- Companies that have verification of GDPR compliance to share with prospective clients.
- Companies that say they are GDPR compliant and want clients to take their word for it.
Being in the first group gives your company a head start. Conduct a thorough self-assessment (and document the results) or use a third-party auditor to provide proof of your GDPR compliance.
Learn More About GDPR Compliance
Ready to get started with GDPR? George Gerchow, the Sumo Logic VP of Security and Compliance, shares more tips for cutting through the vendor FUD surrounding GDPR.