Data Protection Officer's Guide To The GDPR Galaxy

Has the impending GDPR deadline got you freaking out? These five tips might help you calm down, at least a little.

Many people are finding themselves faced with the need to familiarise themselves with a topic that pertains to everyone, data protection and privacy, even though most have not specialised in it.

In April 2016, the General Data Protection Regulation (GDPR) was passed into law in the European Union. The goal of the law is to give individuals control over their own data. While GDPR became law in 2016, it won't become enforceable until May 25, 2018. In this post, we'll explore the universe of GDPR and provide some resources to help you prepare.

So, why is everyone freaking out over this law, particularly if a company is not in the EU? GDPR is composed of 99 articles and 173 recitals that are used to help interpret the law, that's a lot of elements!

What's scarier is the sanctions for noncompliance can be a fine up to €20 million (approximately $24.6 million) or up to 4% of the annual worldwide turnover  (net sales generated by a business) of the preceding financial year, whichever is greater.

The "whichever is greater" is where most gasp a little. GDPR affects any business that operates in the EU and foreign companies that process the data of EU citizens. In our global economy, this is virtually every business. Furthermore, business must flow these requirements down to all their vendors.

The prospect of digging into this does seem daunting. So, where to start? First of all, breathe. While this is a large undertaking, there are many resources available.

1. Consider a training course. There are several avenues for training, and more become available each week. I'm lucky enough that my senior management team saw the importance of investing in sending someone to training so that our organisation was educated, and we would be able to work with our customers to meet their GDPR compliance needs as well as our own.

I went to London and took the DPO Ready Track offered by the International Association of Privacy Professionals (IAPP). This was a four-day training and consisted of the Certified Information Privacy Professional/Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) courses.

IAPP also offers these trainings online in a self-paced course. If you have the budget, I would highly recommend this option. There are consulting firms, training companies, and privacy vendors that also offer GDPR training.

If you don't have the budget to attend a course, consider webinars. If you are able to attend an in-person course like those mentioned above, you may consider augmenting that with webinars as well. TrustArc, OneTrust, and Nymity have a comprehensive series of webinars that are available on their websites. The nice thing about webinars — in addition to being free — is that you can watch them from anywhere, at any time, as long as you have an Internet connection.

2. There are a few books that have been written on GDPR, but... Personally, the handful of books I have read on the topic reminded me of the early PCI DSS books that were not much more helpful than reading the standard itself.

Most books are out of date before they even hit the virtual book shelves. I've found online articles, following the news feed from IAPP, and the guidance from the Article 29 Working Party advisory board and the Information Commissioner's Office (ICO) out of the UK to be more helpful.

3. There are many other online resources and tools that are very helpful. If you are unsure if you need a data protection officer, there are flow charts online to help you step through the requirements to determine if you need to appoint or hire a resource. Also available with a quick online search are checklists and templates. Nymity has a very nice GDPR Compliance Toolkit available for download.

Augmenting your knowledge with tools to assist in executing on some of the more daunting tasks for GDPR is a great way to help your organization meet the requirements.

If you don't have processes and tools in place to address tasks such as process mapping performing privacy impact assessments (PIAs) and data protection impact assessments (DPIAs), vendor tools may be a solution.

4. If you're not an attorney, identify your limits in terms of knowledge and ability. I have a very strong information security and compliance background and, before my training for GDPR, some privacy training; however, I'm not an attorney and have not gone to law school. I'm well aware of the boundaries of my knowledge and do not hesitate to work with our senior management to engage our outside counsel when necessary.

For example, one instance where we deferred to our attorneys is when we had to write a data processing addendum (DPA), which is a formal legal contract required under GDPR that outlines the roles and responsibilities of data controllers and processors.

5. Last but not least, reach out to your peers. Many of us are working through the onslaught of requests for information on how our companies will meet the requirements of GDPR as well as reaching out to all our vendors to ask the dreaded question, "What are you doing to meet the requirements of GDPR?" Seek support from peers to discuss your questions, worries, confusion, and frustration.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Dark Reading

You Might Also Read: 

Ensure Your Cloud Storage Is Compliant With GDPR:

The GDPR Deadline Is Near & Business Is Not Ready:

« Self-driving Uber Vehicle Strikes & Kills
The Symphonic Enterprise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ThaiCERT

ThaiCERT

ThaiCERT is the national Computer Security Incident Response Team (CSIRT) for Thailand.

Steptoe & Johnson

Steptoe & Johnson

Steptoe is an international law firm with offices in the USA, Europe and China. Practice areas include Cybersecurity, Privacy & National Security.

ThreatHunter.ai

ThreatHunter.ai

ThreatHunter.ai (formerly Milton Security) is a business that tracks down and mitigates attacks in real time using our ARGOS Platform and our Elite Threat Hunters.

Efecte

Efecte

Efecte is a Nordic SaaS company specialized in IT Service Management, Self-Service, Identity Management and Access Governance solutions.

CyberPilot

CyberPilot

CyberPilot ApS is a Danish cybersecurity company. We work with all types of companies and organisations, both large and small, who want to achieve effective cybersecurity.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

VMRay

VMRay

VMRay delivers advanced threat analysis and detection that combines a unique agentless hypervisor-based network sandbox with a real-time reputation engine.

A3Sec

A3Sec

A3Sec provides professional solutions in the areas of Cybersecurity, Device Monitoring, Business Intelligence and Big Data.

Cytellix

Cytellix

Cytellix is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture.

Appsian Security

Appsian Security

Appsian provides powerful solutions that help organizations take control of their business critical data and financial transactions.

Easy Dynamics

Easy Dynamics

Easy Dynamics is a leading technology services provider with a core focus in Cybersecurity, Cloud Computing, and Information Sharing.

Prelude

Prelude

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

RMC

RMC

RMC was purpose-built for Mission Assurance and ICS/OT cybersecurity, dedicated to strengthening and protecting government and commercial assets.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.