How To Get Prepared For The 2018 GDPR Deadline

How To Get Prepared For The 2018 GDPR Deadline

This article was originally published in Forbes.

The EU General Data Protection Regulation (GDPR) is set to affect thousands of organizations worldwide. In fact, GDPR is the most important change in data privacy regulation in 20 years. For those unfamiliar, GDPR defines a broad set of rights and principles governing the protection and use of EU citizens’ data, independent of physical location.

Heavy fines for noncompliance and rapid breach notification requirements, coupled with a mid-2018 implementation deadline mean that organizations must immediately and aggressively begin working on GDPR. At a minimum, they should start by developing data classification strategies, data usage and retention guidelines and baseline security controls. Furthermore, by automating these processes and controls, they can lower the cost and ease the implementation of GDPR compliance.

GDPR Background, Rights And Principles

GDPR was developed by the EU in order to formalize the rights of its citizens and their personal data. It applies to any firm or organization that processes or stores such data, regardless of where they are located. For example, a U.S.-based company that held client data in Singapore would still be subject to GDPR, provided that data included clients who are EU citizens.

Unlike its predecessor, GDPR contains strong enforcement measures. First, fines for noncompliance of up to 4% of worldwide revenue can be assessed for extreme violations. Second, in the event of a serious breach, violators may have to notify both EU authorities and the citizens affected within 72 hours, which will be extremely challenging and potentially disruptive.

The key element of GDPR is the definition of data protection rights for its citizens. The list of rights is extensive and will impact business models and processes in many ways. Some of the more important rights to take note of include the following:

• Consent must be given for data processing, and the way the data will be used must be stated in a way that is easy for the citizen to understand.

• Organizations must clearly state what data is being processed, how it is being processed and with what other organizations the data might be shared.

• Citizens have a right to be forgotten. That is, they can request that all copies of their data be deleted. They also have a right to be easily able to transfer their data from one organization to another.

Given that there is less than a year before the deadline for compliance, organizations absolutely must begin preparing immediately. There are several areas that are high priorities for action. These include staffing, data audit and classification, risk analysis and basic system logging. Beyond that, organizations must begin aligning their business models with acceptable GDPR practices, building their client notification and consent frameworks and defining a fundamental security control set.

GDPR Preparation

The first step in adapting to global regulation change, beyond understanding what the change entails, is preparing as far in advance as possible. With just about five months until implementation, the time to start prepping is upon us. While each individual organization will ultimately need to develop its own unique strategy, there are certain constants that are recommended for all enterprises to remain GDPR compliant. Those constants include four key steps, as follows:

Discovery: Identifying what personal data the organization is in possession of and where it resides.

Management: The governance of how personal data is accessed and used.

Protection: Establishing security controls to prevent, detect and respond to infrastructure vulnerabilities and data breaches.

Reporting: Acting on data requests, reporting data breaches and maintaining required documentation.

These four key factors should become the foundation of any GDPR policy. There is, of course, leeway as to how these steps are carried out and what tools and techniques are applied in doing so. Forward-thinking business leaders will leverage as many tools as available in order to streamline and strengthen their GDPR compliance.

Using Technology To Close The Gap

In response to the proposed change in data security regulation, many developers and vendors have begun offering various tools and technologies specifically designed to help organizations prepare and comply with GDPR. For instance, there is a growing number of risk assessment tools that provide deep analysis and visibility into database infrastructure along with recommendations for remediation. There are also a number of implementation solutions that have been preconfigured with GDPR rules, standards and processes.

From a control standpoint, automation is emerging as a valuable option, particularly because it creates a consistent, automatic and well-documented process that will stand up to scrutiny during an audit. It makes it much more certain that a spot check for compliance (e.g., validating the control for a particular day) will pass successfully. And with a flexible solution, an automation platform can integrate with virtually all security solutions in the market. This means that the organization can choose whatever security solutions they feel are best and still have the automated process they need to be successful.

Another consideration is segregation of duties. A security control must be separated from the people the control is monitoring. Using an automated process means that staff members do not need to be involved, eliminating the risk of staff members having access to both the data and the security control that protects it. Furthermore, a reliable record of that access is created in a data store that is closed to system administrators, creating a solid audit trail to validate the controls.

No Magic Bullet

It should be noted that there is no absolute perfect solution when it comes to compliance. The question of whether a control set is sufficient to protect data relative to risk is quite subjective. What auditors look for is not a fixed set of deliverables but a consistent methodology for analyzing risk, arriving at a control set and implementing those controls. By preparing ahead and leveraging the appropriate tools and technologies, organizations can improve the chances of maintaining compliance on a consistent basis.


Compliance Got You Down? IT Automation is the Answer

Compliance Got You Down? IT Automation is the AnswerIn today’s fast paced business environment, it can be a hassle to keep track of all the important data you’re dealing with, but it’s an absolute necessity if you are to remain compliant. Regardless whether it’s an external regulatory body, like HIPAA or Sarbanes-Oxley, or even the occasional internal audit to ensure that regulations are consistently being met, you’re on the hook for maintaining proper documentation and producing that documentation if and when it’s needed. So how can you ease this burden and make staying in compliance much more manageable? Easy – you employ IT automation.

It’s all about transparency.

With the right IT automation platform in place, you don’t have to worry about manually keeping track of every important piece of data. In the event of an audit, either internal or external, you can easily access what you need, when you need it. There’s really no better way to remain in compliance than through IT automation.

Create an environment of consistency and uniformity.

One of the biggest challenges for a business when it comes to the topic of compliance is dealing with inconsistencies across the organizational structure as a whole. One department may be extremely diligent about documentation, while another may be seriously lacking. Still others may do things completely differently than their peers, which can make organizing and presenting requested documentation to an external auditor a nightmare. IT automation creates a uniform process that helps to keep every area of your business consistently compliant.

Get the freedom to focus on what’s most important.

Not only does IT automation help with organizing, storing and accessing important data and documentation, but because you and your personnel are no longer forced to waste valuable time on mundane, repetitive tasks, you will be better able to focus on critical business issues – including compliance. So, it becomes a win-win in terms of staying compliant from start to finish.

Take a proactive approach.

Don’t let an auditor be the one to catch a problem within your organization. IT automation provides the ability to receive real-time and accurate notifications so that critical business issues can be identified and addressed in a timely manner, before they develop into a more serious or costly problem for your business. Fewer things falling through the cracks equates to a more compliant business year-round.

Test, test and test again.

The best way to prepare for a potential audit is to conduct occasional internal tests. Not only will this help identify areas of weakness so they can be addressed immediately, before they become a serious concern, but it will ensure that your data can be quickly and easily accessed when and if an external audit should become necessary.

Make audits quick and painless.

If you’ve ever experienced an audit, you know that it can be a long, drawn out and painful process – especially if you weren’t well-prepared ahead of time. Without the right technology in place, audits can force you to pull your personnel away from their day to day tasks, causing production delays and an increased burden of workload on the rest of the team. The time it takes to dig up days, weeks, months or even years’ worth of data and produce the necessary documentation means a loss of productivity and subsequent profits for your organization, not to mention the consequences of failing any area of your compliance check. IT automation makes the process of an audit go much more smoothly, which means less disruption to workflow and a faster turnaround.

For most organizations, regardless of industry, compliance is a challenging but necessary part of doing business. The good news is it doesn’t have to be a costly, workflow disrupting headache for you or your team. With the right IT automation and orchestration platform in place, you can uniformly organize and access all of your important data without having to waste precious time and resources, so that if and when an audit comes up, you’ll be ready!

IT automation makes the process of staying compliant a breeze. Learn how it can help your business today by launching your own free trial today!

eBook: 10 time consuming tasks you should automate

How IT Automation Can Help You Meet IT Governance Risk and Compliance?

Meet IT Governance Risk and ComplianceOne of the biggest challenges organizations face when comes to IT governance risk and compliance is the fact that it is difficult to understand the real and ongoing risks organizations faces. Keeping abreast of every change and nuance of each new or modified regulation can be exhausting, whether your organization is responsible to meet one or several compliance initiatives. This challenge is made even more complicated when IT processes are handled manually, which opens up a tremendous risk of human error.

IT automation helps to eliminate this risk and improve the chances of consistently passing regulatory compliance.

Today’s technology has made it increasingly important that businesses meet both external regulatory compliance requirements as well as the internal security mandates of their own organizations. This means protecting sensitive data and abiding by all of the complex and ever-changing requirements that are set forth by government and other regulatory agencies.

When an organization handles their IT functions manually, they inherently open themselves up to risk. That’s because human errors can result in things like sensitive data being exposed to internal or external threats and confidential material potentially being compromised. The resulting non-compliance can cost your organization more than just a hefty fine – it can cost you your profitability and future success.

By automating repetitive, manual tasks your organization is better able to maintain a continuous state of compliance.

What’s more, IT automation also helps to quickly identify any possible compliance breaches so that you can address and correct them in a timely manner, before they become a costly problem. Instead of backtracking to pinpoint a breach, regular assessments allow you to manage your compliance in real-time.

When an audit comes up, businesses often find themselves scrambling to correct existing problems and quickly generate enough proof of controls to satisfy auditors. The result is a significant waste of time, effort and resources, and it usually falls short of what the auditors are looking for anyway. So, not only is the business increasing costs and reducing productivity by trying to manage their compliance at the last minute, but they’re likely not going to succeed in doing so.

IT automation eliminates this last-minute scramble because instead of compliance being a separate task, it becomes a part of the day to day operations of your business. That means when an audit arises, you won’t have to worry – compliance is already incorporated in your IT operations. Audit-trails have already been created, making the process quick and efficient, and improving the possibility of passing all the requirements.

So, then the question becomes not whether you should automate your IT activities, both for reducing costs and improving productivity, but can you afford not to? Non-compliance is more than just a risk to your employees and clients – it’s a risk to your organization as a whole. IT process automation takes the guesswork out of this complex subject and helps keep your business in line so that when those auditors knock, you’ll be ready.

eBook: 10 time consuming tasks you should automate