GDPR Compliance: How to Get the Ball Rolling Today

The General Data Protection Regulation (GDPR) impacts every business in the European Union(EU) or doing business in the EU even if their headquarters are outside EU borders. The GDPR enforcement starts May 2018, giving ample time for enterprises to plan and implement the right controls. There are many elements in the GDPR directive. We recommend that enterprises put a plan in place to achieve certain milestones before the deadline, in order to avoid fines and possibly earn some goodwill from the EU. Compliance experts at Imperva have worked on the following framework to help customers navigate the data security and compliance technology requirements for compliance with the GDPR.

Stage 1: 0-6 months

Discover and inventory – of known and unknown data repositories and sensitive data
Analyze Data flow and touchpoints – including sub-processors
Inventory current policy and procedures
Develop the breach discovery, response and notification requirements for:
Data Monitoring
Alerts and investigation process
Discovery and immediate containment
Assessment of loss and ongoing risk
Incident response and investigation
Notification of breach
Post event evaluation and response
Draft the Data Protection Impact Assessment report

Stage 2: 6-12 months

Perform inventory and gap analysis of Data security and compliance technology

Evaluate and select monitoring, minimization and encryption technology
Privacy by design
Perform Privacy Impact Assessments (PIAs)

Define Data Protection officer (DPO) role and responsibilities

Alert the organization to any risks that might arise with regard to personal data
Monitor the activities of all data controllers within the DPO’s corporate group
Periodic checks to ensure that the organization’s security measures remain appropriate and up to date – facilitate audits and investigations
Provide guidelines to the Board of Directors as well as all members of staff
Update permissions collections process
Negotiate with 3rd party processors
Evaluate USA data transfers requirements

Stage 3: 12-24 months

Phased implementation of data security and compliance technologies
Compliance audits and reporting
Hire DPO
Rollout new P&P
Test
Training
Verify and validate (Certification)
We have highlighted the milestones for each stage that can help achieve GDPR compliance without running to surprises and avoid hefty fines. With early GDPR certification, competitive advantage can help bolster brand image relative to the laggards.
Click here and find out more about GDPR and Data Security.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.