GDPR Compliance: How to Get the Ball Rolling Today

gdpr-get-ball-rolling

The General Data Protection Regulation (GDPR) impacts every business in the European Union(EU) or doing business in the EU even if their headquarters are outside EU borders. The GDPR enforcement starts May 2018, giving ample time for enterprises to plan and implement the right controls. There are many elements in the GDPR directive. We recommend that enterprises put a plan in place to achieve certain milestones before the deadline, in order to avoid fines and possibly earn some goodwill from the EU. Compliance experts at Imperva have worked on the following framework to help customers navigate the data security and compliance technology requirements for compliance with the GDPR.

Stage 1: 0-6 months

Discover and inventory – of known and unknown data repositories and sensitive data

Analyze Data flow and touchpoints – including sub-processors

Inventory current policy and procedures

Develop the breach discovery, response and notification requirements for:

Data Monitoring

Alerts and investigation process

Discovery and immediate containment

Assessment of loss and ongoing risk

Incident response and investigation

Notification of breach

Post event evaluation and response

Draft the Data Protection Impact Assessment report

Stage 2: 6-12 months

Perform inventory and gap analysis of Data security and compliance technology

Evaluate and select monitoring, minimization and encryption technology

Privacy by design

Perform Privacy Impact Assessments (PIAs)

Define Data Protection officer (DPO) role and responsibilities

Alert the organization to any risks that might arise with regard to personal data

Monitor the activities of all data controllers within the DPO’s corporate group

Periodic checks to ensure that the organization’s security measures remain appropriate and up to date – facilitate audits and investigations

Provide guidelines to the Board of Directors as well as all members of staff

Update permissions collections process

Negotiate with 3rd party processors

Evaluate USA data transfers requirements

Stage 3: 12-24 months

Phased implementation of data security and compliance technologies

Compliance audits and reporting

Hire DPO

Rollout new P&P

Test

Training

Verify and validate (Certification)

We have highlighted the milestones for each stage that can help achieve GDPR compliance without running to surprises and avoid hefty fines. With early GDPR certification, competitive advantage can help bolster brand image relative to the laggards.

Click here and find out more about GDPR and Data Security.