4 Steps To Get Ready For GDPR

Uploaded on 2018-01-22 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

For any organisation that does business in the European Union (EU) in any capacity, it’s no secret that the General Data Protection Regulation is a crucial piece of legislation.

Every company that has offices, customers or partners based in the European Union will be affected, and come May 25, 2018, the way we are working with their data will be under strict new guidelines, impacting the way we do business.

It won't take long after the deadline before the gloves come off and the EU cracks down on audits of big tech companies. We're talking about Uber, Google, Apple and so forth. This will be EU's effort to reinforce the severity of meeting GDPR regulations and to show that no business, not even the household names, will be immune to complying with GDPR stands.

After the EU cracks down on the big tech companies, financial institutions and travel companies will be next, as these types of organisations are the most globalised industries, where data flows freely across geographical borders.

And regardless of the EU’s efforts, the reality is that many companies won’t meet the May deadline, whether due to lack of resources, laziness or apathy. You better believe that those businesses that don’t get on board, and get caught, will be crushed, as business will come to a grinding halt.

If you are behind, or aren’t taking action to prepare for GDPR right now, you may be straggling, but you’re not too late. The process may be a beast, but it’s absolutely manageable if you’re organised. Here are four tips to begin your GDPR journey:

  1. Establish a privacy program. This is the first place you should start. If you do this upfront, then when new regulations come out, you have a set baseline of where you are at and can more efficiently fill in the gaps. There will always be new regulations your organization must embrace, so get ahead of the curve while you can. The privacy program must address data flow, data classification, critical systems and encryption.
  2. Hire a Data Privacy Officer. Designating a person to lead the charge on providing the company with best practices on how to approach data privacy is critical. This role helps employees understand where the organization’s data resides and how best to protect it with methods like encryption. Additionally, make sure this person actually has proper certifications by May 2018, and is truly qualified for the position. This role will only continue to increase in importance for companies working in the global market that must remain compliant across borders. Also, make sure you have a privacy attorney either on staff or retainer.
  3. Seek third-party validation for your organization. Any streetwise potential customer or partner will request this while you’re working out the fine print of any contract, so you may as well beat them to the punch. This will also allow for you to protect your business in the event of a breach, so that you are not held liable because of accusations you aren’t GDPR compliant. You have a couple options for obtaining such validation. You can either conduct a rigorous self-assessment, or seek an external audit firm. Most audit firms are still not trained and properly qualified to run a data protection impact assessment.
  4. Hold your partners and vendors to the same standards. While you continue on your journey to GDPR compliance, make sure you also monitor for progress with any partners or vendors your business works closely with. Tell-tale signs include the aforementioned tips — i.e. do they have a privacy program, a Data Privacy Officer and third-party validation?

Another clue they are well equipped to handle GDPR regulations is they are a cardholder data environment (CDE), defined by the PCI Security Standards Council as “the people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.”

Most vendors today do not have their entire data flow or infrastructure as a CDE. However, those that do have a distinct advantage as everything is already encrypted and treated as mission critical.

In order to confirm this status with a partner or vendor, all you need to do is ask for a Attestation of Compliance for proof, and confirm that they are leveraging data loss prevention software in order to protect their data.

Avoid the Pitfalls

While the process of achieving GDPR compliance is a lengthy one, you still have time. In fact, it may be a bold statement for any organisation to come forward at this point and claim it is GDPR compliant. Why?

Because most third-party auditors are still wrapping their own heads around the process, and haven’t quite gotten to the point where they can provide validation for their clients.

If you do come across a business making this claim, don’t take the marketing language at face value. Instead, ask one simple question: “Where is their third-party validation?”

Most companies will not be able to answer that simple question. In the meantime, you can get a quick evaluation of a cloud-based company’s GDPR readiness from Cloud Access Security Brokers vendors like NetSkope.

Additionally, write off any company that says it is already GDPR compliant because they have another type of certification, such as SOC 2 or HIPAA. While there may be numerous common controls, there are core differences between each that cannot be ignored.

In the coming months, diligence will be key when it comes to not only preparing your own organisation for GDPR compliance, but also placing the same standards on vendors, partners and others you do business with. Just remember: breathe, take it one step at a time, and whatever you do, don’t fall for scare tactics.

The GDPR is new data protection legislation that comes into force from 25 May 2018. Non-compliance will mean hefty fines, up to 4% of annual global turnover or up to €20 million, whichever is higher, so getting in line is essential.

All organisations operating in the EU must become GDPR compliant, and in doing so, face many questions as to what they should be doing with any personal data they hold and when. The newly launched GDPR Advisory Board is there to help with this important process that will be seen as a priority for many businesses across 2018.

For Further GDPR Information please also contact The GDPR Advisory Board:

Information Management: 

You Might Also Read: 

You Need to Know About The General Data Protection Regulation:

GDPR Requirements, Deadlines And Facts:

 

« FBI's Ability To Disrupt Cybercrime Has Deteriorated
Russian Troops Use Missiles & Cyber To Counter 'swarm of drones' »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

CloudInsure

CloudInsure

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

CyberSaint Security

CyberSaint Security

CyberSaint’s CyberStrong Platform empowers organizations to implement automated, intelligent cybersecurity compliance and risk management.

Binary Defense

Binary Defense

Binary Defense protect businesses of all sizes through advanced cybersecurity solutions including Managed Detection and Response, Security Information and Event Management and Counterintelligence.

Aversafe

Aversafe

Aversafe provides individuals, employers and certificate issuers around the world with a first line of defense against credential fraud.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

Antigen Security

Antigen Security

Antigen Security is a Digital Forensics, Incident Response and Recovery Engineering firm helping businesses and service providers prepare for, respond to, and recover from cyber threats.

Vertex Cyber Security

Vertex Cyber Security

Vertex provide Cyber Security Services to small to large businesses including Advise, Consulting, Adding Security Partnership, Penetration Testing, ISO 27001-2 and Audits.

SecurEnvoy

SecurEnvoy

SecurEnvoy are a leader in designing zero access trust solutions using the latest cutting-edge technologies, to protect your users, devices and data, whatever the location.

DerSecur

DerSecur

DerSecur has been engaged in advanced technology activities in the field of Application Security since 2011. We offer R&D technology solutions in the field of SAST, DAST and SCA analysis.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.

Atlas Systems

Atlas Systems

Atlas Systems helps companies large and small accelerate their digital transformation journeys – expanding their capabilities and delivering tailored solutions including cybersecurity.