With the General Data Protection Regulation set to take effect in Europe in this spring, survey after survey shows that not only are less than half of companies prepared to meet the GDPR deadline, but many still haven’t even heard of it.
Unless your organization is already well along in your GDPR planning, chances are you won’t be fully prepared by the May 25 implementation date. However, there are steps you can take to minimize the risk to your organization, should regulators come calling.
GDPR presents a bit of a paradox because the law is intended to increase both security and access. The regulation raises the bar for protecting the information of EU citizens, but it’s also meant to make it easier for those people to obtain their data whenever they want. Preparation starts with knowing where personal information is located. In many cases, that’s not just in customer records and marketing databases, but also in SharePoint documents, emails, spreadsheets and Slack discussions. You can’t protect what you don’t know about, so start by creating an inventory of personal information on all known EU citizens in your records.
To the greatest degree possible, centralize those records on a preservation platform with the necessary metadata to enable quick retrieval. This is a good time to clean out old records that your organization is no longer required to keep or that aren’t essential to your organization. In case of an audit, you may be required to explain the business purpose for each type of information you collect.
Because protection is important, review your security procedures to be sure access to critical records is limited. This is a good time to clean out permission directories, since former or temporary employees may still have logins that were never removed. You should also review access controls on files and folders. According to the 2017 Varonis Data Risk Report, 47% of organizations have at least 1,000 sensitive files open to every employee, largely because of outdated, temporary or overly generous group-level permissions.
Under the new rules, organizations must notify customers of a breach within 72 hours of its discovery. While one recent survey by Tripwire found that most security professionals believe their companies can meet that requirement, less than one-fifth have a fully documented process in place. Having such documents on hand provides at least a first level of defense if you fail to hit the deadline.
The regulation also requires many organizations — although not all — to appoint a chief data protection officer. If that mandate applies to your company, be sure you’re at least actively in the process of filling that role by the time the GDPR deadline comes around. Simply moving an existing employee into that job may not be sufficient, since the GDPR specifies that the person must have “expert knowledge on data protection law and practices.”
The one thing you should not do is sit tight and hope for the best. Although regulators may have their hands full with noncompliant organizations at the outset, that’s no reason to believe you can fly under the radar. Consult your legal counsel about the steps that are most appropriate for your own organization.