5 Questions to Ask Your CISO about the GDPR
The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018, and it will have a huge impact on the way businesses store and collect personal information belonging to those located in the European Union (EU). The regulation applies to all businesses that hold and process data that was collected in the European Union, regardless of their location.
Organizations that run afoul of the GDPR could face fines by regulators that could be as high as four percent of their global annual turnover or €20 million, whichever is higher. Fines of this magnitude could essentially put companies out of business. It is, therefore, critical that organizations start preparing now. However, this is not a simple process, and in many cases technology solutions can be deployed to help organizations comply with the regulation.
To help IT teams understand how the requirements of the GDPR may affect their organizations, here are five important questions they should be asking their CISOs to help get their house in order:
Do we have a good understanding of the personal data we hold and where it resides?
Organizations will need to generate Data Protection Impact Assessment (DPIA) reports to document areas of high risk data processing, including, for example, monitoring individuals’ behavior. This requires organizations to locate the personal data they are collecting related to this activity and understand and document how the data is processed. This detailed assessment must be kept on hand and ready for regulatory inspection or compliance audits and must be self-reported in some cases to regulatory authorities.
One of the key challenges for organizations will be finding where the personal data is being stored once it is collected. For large organizations, this will take more than just a call to the IT department. This will be one of the challenges of the GDPR and an issue which all businesses should address if they are not already.
Who has access rights to the personal data, who actually accesses it, and why?
One of the clear requirements of GDPR is being able to limit who has access to personal data and make sure that access is authorized and reflects personnel changes that happen within an organization. It will be important to analyze policies on data handling, including test data usage, data retention, and data destruction.
It will also be very important for organizations to understand why users are accessing personal data and that there is a legitimate basis for it. Just because a user has a certain senior role within an organization does not mean they should automatically have privileged access to all sources of personal data.
How do we monitor who accesses personal data? Could we detect and investigate a breach?
One of the most onerous requirements of the GDPR will be that any organization that controls personal data on behalf of a data subject that experiences a breach of that data must notify the local Data Protection Authorities (DPA) in the member states where the people affected by that breach reside within 72 hours of identification or confirmation of the breach and also to the data subjects themselves. Organizations must be able to identify what personal data was breached and the nature of the breach. This requirement essentially means organizations need to be able to understand who accessed the personal data, what activity they performed and when they performed it. This is an area where it is important to have strong technology solutions in place, so that your organization can be in a position to even provide the requested information within the 72-hour window.
Do we know how we will minimize the volume of personal data used in non-productive systems?
GDPR requires businesses to minimize the personal data they retain, particularly when they don’t actually need it for day-to-day operations. If an organization does not need the personal data for business or compliance purposes then the regulation states they should purge the data in a legally compliant manner or deploy data masking or pseudonymization technology.
Do we know how we could prevent database data from being accessed or transferred outside the country/the EU?
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations that do not have adequate data protection laws, to ensure that the level of protection afforded by the GDPR to individuals in the EU is not undermined. This means that organizations with personal data from individuals in the EU will need a clear understanding of where they are transferring this personal data to and if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection. Data monitoring technology will play a key role in monitoring activity in real time to prevent data transfers from occurring–even by accident.
Businesses must act now
The GDPR will greatly impact the way businesses collect, store and transfer personal data, and it is imperative that organizations begin to lay the groundwork now.
Preparation will include carrying out assessments of data stores, establishing budgets for new technology and implementation of the new processes and solutions to help businesses become compliant with the regulation.
This may seem like a daunting task for many organizations, however the outcome will ensure a much more secure environment for personal data, which can only be seen as a positive step.
Download our GDPR infographic: Get Going with Your GDPR Plan
Watch a tech demo to learn how Imperva’s data security portfolio can help you find and categorize data for GDPR compliance: Data Discovery and Classification for the GDPR