Security Roundup: GDPR Countdown, KnowBe4 Exploit Discovery, Optiv Tools

GDPR Compliance

… the organization’s bottom line. Ultimately, if organizations aren’t compliant, they risk losing customers, partners and revenue.”

Key steps around basic data hygiene and becoming more responsible data stewards of EU individuals’ data will go far as you prepare for GDPR’s enforcement date, Aber said. These include:
  • Ensuring you have the right team of legal, security, IT, and C-level support.
  • Performing a data inventory to understand how personal data flows into your environment, to see how long you keep the data and why, to document your data life cycle, and classify the data you store.
  • Documenting a risk assessment of personal data throughout its life cycle.
  • Inventorying data processors (subvendors) you share personal data with and ensuring they are under contractual requirements to support your GDPR obligations and facilitate data subject requests.
  • Revising your privacy policy to clearly articulate how you handle personal data, what you use it for, and for how long.
  • Ensuring you have a streamlined process for responding to data subject requests.
OwnBackup's Lee Aber

OwnBackup’s Lee Aber

“Under GDPR, organizations must have a process in place for responding to various data subject requests,” Aber said. “Don’t let this be a fire drill. You still have time to get organized and document personal data within your organization. Roll up your sleeves and dive in.”

If you have a program underway, if your leadership team is behind it, and the will and budget are there, then you’ve already won the battle, Hall said. However, once May 25 has passed, you are running at greater risk should there be a breach, he said.

Many compliance programs – whether regulatory such as GDPR, the Health Insurance Portability and Accountability Act (HIPAA), or technolog- specific such as ISO 27001 or SOC2 for information security management – often have controls that overlap, he said.

“For example, if you are already HIPAA-compliant and have to abide by particularly restrictive state laws, then you may already be 90 percent GDPR-ready,” he said. “A common pitfall is to tackle these compliance programs as separate projects, burning time and effort unnecessarily. Technology can help identify common clauses and controls, and allow a firm to save time and money by mapping one regulation against another.”

If you miss the deadline, it’s important to take action, rather than hoping for the best, Doeswijk said.

“Go to the regulator in your country, log your concerns, explain what you have done and are still doing, and what you will continue to do after the effective date,” he said. “What should be clear: the effort for GDPR compliance does not end with the effective date; you will have to continue to evolve your privacy and security measures as your business evolves.”

The best way to mitigate potential penalties is to …

Pages: Previous 1 2 3 4 Next

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 101045