I wrote about the mistakes that many organizations are making as they prepare for GDPR implementation. So here I’ll look at the opposite: What steps should you take to make sure your GDPR preparations are on the right track? Here is the advice from different security and privacy experts.
Doug Snow, VP of Customer Success with TITUS, pointed out a simple GDPR prep step that I’m totally on board with: Get your employees involved and have them be part of the solution. Snow added:
This means employees need to know the kinds of data that need to be protected across the organization because information security is everyone’s responsibility. And the key to success is to take steps to ensure people understand exactly the type of information they deal with on a daily basis.
To better educate and provide regular reminders for GDPR compliance, Snow recommended hanging posters with reminders about data security, organizing ongoing training to help people stay sharp, and encouraging users to share their own tips about how they stay mindful of security.
Netskope CEO Sanjay Beri also believes employees need to be part of the solution, adding that privacy awareness training should be mandatory, telling me:
By requiring every employee to participate in cyber security awareness training and conducting training on an ongoing basis, organizations can foster a culture of security awareness. Security team leads are responsible for identifying risks of non-compliance with GDPR and managing those risks by implementing controls, policies, and procedures and then communicating these and other security best practices to their employees. Employees need to hold themselves accountable for doing their part in helping the company comply with the GDPR — just as much as leadership does.
Knowing and involving employees is one step. Beri pointed out the importance of your relationship with your data:
- Know your data, well. That includes knowing what information is being collected, who’s collecting it, and who’s sharing it throughout the organization. Also, don’t assume that your understanding of PHI, PII, and other data profiles will directly map to the GDPR rules, since the scopes of the regulations are different and can include things like hobbies, political affiliations, and sexual orientation, Beri said.
- Follow your data. You need to know where your data travels — especially if it crosses geo-political boundaries. In fact, 80.3 percent of the time, cloud data gets backed up to another geographic area. That is, after all, a deliberate design specification and a strength of the cloud for enabling high availability and disaster recovery. If that data includes regulated data under the GDPR, you’ll need to talk to your cloud service provider about restricting backups to certain geographies. If your cloud service provider can’t do that, look to third-party controls to take necessary precautions.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba