The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. So what actions should InforSec Professionals already be taking to ensure compliance with the new regulation?
The GDPR will affect organisations that operate in the European Union (EU), do business with organisations in the EU, or store data in the EU. When preparing to implement the required changes to current practices, there are numerous challenges the information security professional must be ready to address.
Here are three key topics as a starting point in the drive towards adoption and compliance with the DGPR.
1. Privacy by Design
Information security professionals need to work with IT development and implementation teams to create a checklist for software/services suppliers, to ensure that privacy is designed into products, services and business processes. The information security function will need a very good understanding the information lifecycle and the technical infrastructure this data operates on, including externally provided services and plan accordingly.
2. Incident Management
Incident management capabilities for the GDPR need to be strong enough to enable an organisation to react rapidly to any breaches and notify the relevant Data Protection Authority (DPA) within 72 hours. An information security incident management framework should be in place and supported by documented standards and procedures.
Key employees within the organisation must already be aware that the law is changing and must understand the impact of the changes and their responsibilities. The policies and procedures for staff to follow must be in plain and understandable language, and easily accessible. Regularly testing staff around awareness – for example, with fake phishing emails – will help to support auditability and demonstrate that an organisation has done its utmost to protect the EU citizen data that it processes.