4 Steps Toward A GDPR Compliance Audit

Many organisations are starting to feel stressed and perhaps a bit confused by the General Data Protection Regulation that is quickly approaching us and will hit May 25, 2018.

Indeed, the more I talk to companies, the more I hear the same question: “What exactly is it that I am supposed to do?”

The answer is, 'plenty.' But first, it’s essential that we understand what we’re dealing with.

If you’ve worked with regulations such as Sarbanes-Oxley (SoX) or Health Insurance Portability and Accountability Act (HIPAA) before then you have likely heard about GDPR. And like with those other regulations, the ramifications of not being in compliance when it goes into effect are severe.

GDPR views each and every person that an organisation interacts with (either inside or outside the company) as a center cog and every interaction as a digital footprint that requires handling “the GDPR-way.”

Note to US organisations: even if your company is based outside the EU, you may still need to be GDPR compliant. What determines the need for compliance is who you hold data on. If you collect data on any EU citizen, you are subject to the regulations. This includes selling or shipping an item to someone in the EU, or even shipping inside the US but the person doing so is using a credit card from the EU.

GDPR touches upon how we use and store data, for how long and for what purpose. It addresses how we inform individuals about which data we hold, how to anonymise the data and how we delete it.

It also requires control over scenarios such as who responds to the request from the consumer exercising their right to be 'forgotten' and to make sure that it’s dealt with within reasonable time. The fact that some organizations are now required to hire a data protection officer (DPO) suddenly means that GDPR takes on an entirely different level of importance. With that, GDPR guidelines requires that many organisations do a comprehensive business process overhaul.
 
With that in mind, some organisations might consider shutting down a system or platform as “the solution,” because they feel as though they cannot oversee GDPR and don’t want to risk being imposed with a fine. But how many days are you willing to run your business without your HR system or your BI and analytics platform? You built and implemented them for a reason.

Starting Line - The Audit

Suffice to say, you’d rather not shut down systems and would prefer to become GDPR compliant. The next question is what do you do? To begin, a healthy audit is required, so you start by asking yourself these questions:

1. What data does our company hold?

Awe, that’s an easy one you think. You list the different systems that come to mind: ERP, CRM, HR. But then you wonder, “What is the name of the system we use for data analytics?” You then realise that it’s not just the system's name that needs to be documented, but the entire data model inside the system.

2. Where does our company store this data?

Maybe you’re lucky enough to be able to write a complete list of your company’s IT systems. With that list in hand, you ask your IT department where the systems are that store their data. They could very well get back to you with the names of other systems that aren’t even mentioned on your list. Your search would prove that there are more systems to document and account for than you thought.

3. What is our Data used for?

“It’s used for business operations,” your finance person might answer, but will neglect mentioning it’s also used for budgeting, forecasting, BI and analytics. Finance might even add a few more systems to your list, since they will include the data warehouses and analytical tools they use.

If you press them to define what they mean by “business operations,” they’ll likely say something like, “You know, reporting, analysis, and some self-service BI.” Then, they’ll look at you and ask whether you really need a complete list of where every little piece of data is used? With GDPR coming at you, you know the answer to that question.

4. Who has access to our data?

As the list of systems and data usage has grown from your inquiry, your certainty about who has data access has faded. The answer doesn’t just cover access to the main company systems, but also data that’s being pulled into separate systems for data analysis and visualisations, and even data that’s just being fetched into Excel and later emailed “to whom it may concern.”

So who has access to data? Probably a lot more people than you think. Asking “Why?” could very well turn your list into a novel and may even include some department’s dream of eventually using this data for a certain purpose.

Viewing GDPR as a Golden Opportunity

Clearly, the more people you ask within your business, the longer the list will be of systems and the different kinds of data usage. Everyone from the C-Suite to the DBA is looking for resources, man-hours, tools and platforms to help them with compliance.

Maybe, the answer isn’t about adding as many resources as possible to cover the most mileage. Instead, perhaps you should be looking for different approaches that will enable you to reach GDPR compliance. For instance, consider transforming this work item as an opportunity to strengthen your management control of all your data management platforms and to work smarter from this knowledge.

The race is on to become GDPR compliant and there’s lots of ground to cover. With May 25, 2018 headed our way, all organisations need to pick up speed. GDPR compliance requires many tasks but to get to the finish line it all it starts with the comprehensive audit, and the realisation that it is not just about data, but about business processes and the continued wish to stay data-driven as a business.

Information Management

You Might Also Read: 

10 GDPR Myths Debunked:

US Needs To Get Its Data Ready For GDPR:

Please check with info@cybersecurity-intelligence.com for more information.

« Organisations Need A Data Ethics Strategy
Very Few UK Girls Took Computing A-level »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

International Security Management Association (ISMA)

International Security Management Association (ISMA)

ISMA is an international security association of senior security executives from major business organizations located worldwide.

Systancia

Systancia

Systancia offer solutions for the virtualization of applications and VDI, external access security, Privileged Access Management (PAM), Single Sign-On (SSO) and Identity and Access Management (IAM).

Romanian Association for Information Security Assurance (RAISA)

Romanian Association for Information Security Assurance (RAISA)

RAISA promotes and supports information security activities and creates a community for the exchange of knowledge between specialists, academic and corporate environment in Romania.

AVeS Cyber Security

AVeS Cyber Security

AVeS combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

Nakivo

Nakivo

NAKIVO is dedicated to delivering the ultimate backup, ransomware protection and disaster recovery solution for virtual, physical, cloud and SaaS environments.

Cyber Security & Cloud Expo

Cyber Security & Cloud Expo

The Cyber Security & Cloud Expo is an international event series in London, Amsterdam and Silicon Valley.

Framatome

Framatome

Framatome Cybersecurity portfolio is directly inspired by its unique experience in nuclear safety for critical information systems and electrical systems design.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

Atomic Data

Atomic Data

Atomic Data is an on-demand, always-on, pay-as-you-go expert extension of your enterprise IT team and infrastructure.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

Sensity

Sensity

Sensity is a company that offers an AI-driven solution to detect and verify deepfakes and other forms of identity fraud.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.

XONA

XONA

XONA is The Zero Trust user access platform for the OT enterprise. Secure operational access to critical systems - from anywhere.

Qryptonic

Qryptonic

Qryptonic pioneers next-generation cybersecurity by leveraging the unparalleled capabilities of quantum computing to defend against evolving threats.