GDPR 101 Part 3: What Should I Do Now?
Three tips to get the ball rolling on your GDPR efforts.
CISSP, CISA, QSA
If you are a merchant, or any organization that handles the personal data of European Union citizens, you will need to comply with the GDPR. Here are three ways you can make progress today towards your GDPR compliance.
1. Learn and understand
The first step you should take is to educate yourself. Learn about the GDPR requirements and seek out reliable resources. The Information Commissioner’s Office in the UK has a website and blog dedicated to educating the public about this upcoming data security mandate.
Here are some more GDPR resources to get you started:
- GDPR 101 Webinar
- GDPR 101 Part 1: Should I Be Worried?
- GDPR 101 Part 2: What are the Requirements?
- GDPR FAQs
- Infographic: How Prepared are UK Organizations for GDPR?
- Infographic: How Prepared are US Organizations for GDPR?
- Infographic: GDPR Compliance: UK vs. US
2. Assess and plan
In any kind of security effort, the first thing you’ll need to do is create a data-flow diagram. This will help you discover and clearly document where personal data flows. You’ll need to show where sensitive data comes in and out of systems, and how it moves inside the organization.
Determine the security controls you don’t yet have in place. There are worksheets available, like these checklists from the ICO office in the UK, to help you comply with GDPR. At this point, make a plan for how your organization will integrate and complete all the documentation that will be required.
If you already follow other data security standards, like the Payment Card Industry Data Security Standard (PCI DSS), you may find there is some crossover between the data security controls. It’s important to realize that just because you’re certified compliant with PCI DSS or have had a HIPAA audit, that doesn’t mean you’re GDPR compliant.
Even though there are crossovers between data security standards, GDPR has a much larger scope because it includes many types of information that fall under “personal data,” like names, addresses, and telephone numbers. However, if you only handle credit card data, your scope may remain similar to what it already is under the PCI DSS.
You can use online management tools like GDPR Defense to manage your GDPR compliance efforts, securely store documentation, and track important tasks.
SEE ALSO: What's the Difference Between GDPR and PCI?
3. Assign a DPO or similar position
You may or may not be legally required to appoint a Data Protection Officer (DPO), depending on your “core activities,” or the primary business activities of your organization. According to the UK’s ICO website, if your core activities consist of either of the following, you will be required to appoint a DPO:
- Processing activities which require the regular and systematic monitoring of individuals on a large scale; or
- Processing on a large scale of special category data, or data relating to criminal convictions and offenses.
So basically, if your core business activity is data processing on a large scale, or the processing of special or sensitive data, you will be required to have a DPO.
Even if you are not legally required to appoint a DPO, you should assign someone in your organization to serve as a GDPR officer. Assign one person to learn about, delegate, and oversee GDPR efforts at your organization.
WHITE PAPER: GDPR 101
Take steps sooner rather than later
The GDPR becomes enforceable on May 25, 2018. Take these 3 steps now to be as prepared as possible. Small actions now will help you avoid fines and penalties and better protect sensitive data at your organization. If your organization does experience a data breach involving EU citizens' personal data, you'll fare better in the aftermath if you have made a good faith effort to comply with mandates and laws.
SMB? GDPR Defense can help you organize and manage GDPR efforts.
Large Organization? Contact us for GDPR consulting.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.