With under six months to go until the General Data Protection Regulation (GDPR) comes into force, organizations that handle the personal data of EU citizens are preparing for this new compliance regulation. In order to help you through this new regulation, we’re creating a series of helpful blog posts to see you all the way to May 25th 2018. This GDPR-focused infographic covers the month-by-month high level topics. If you missed our November blog, please read it first.
With holiday season now in full swing in many parts of the world it’s important that GDPR preparation doesn’t get lost in the festivities. Here are our recommendations for December.
Assess your security program for GDPR readiness
In order to meet the requirements of GDPR, it’s possible that your security program may need some changes. Article 32 of the GDPR is all about applying a level of security appropriate to the risk, which also happens to be an approach that Rapid7 has long favored. So, if you’re only running some traditional anti-virus and have a firewall poked full of holes at the gateway then you’ll definitely have some work to do, but even if you have a top-notch-weapons-grade-seven-star security program it’s still worth ensuring that your people, processes and technology are set up for GDPR success. If you’re looking for assistance with this, our strategic advisory services consultants can tailor a GDPR readiness assessment to fit your needs.
Uncover shadow IT services
If you’ve read the November GDPR blog, you might be asking why this is getting called out again. We cannot stress the importance of this enough – you will come unstuck if you don’t get a handle on shadow IT services. From databases under desks, to unsanctioned cloud based applications, shadow IT could be hiding personal data that you’re not securing. Shadow IT tends to occur when users aren’t getting the system or service that they need to perform a task. You need to discover what’s being used and work out whether you need to provision some new services, bring currently used services into the fold so that you can secure them, or block some of them altogether. Blocking services may result in new shadow IT problems springing up, so be wary of being the Department of No.
Perform Privacy Impact Assessments (PIAs)
PIAs, also known as DPIAs (no prizes for guessing what the D stands for) will help guide a lot of your GDPR decisions, so you if you haven’t already done so do start kicking these off now. And if you are a fan of things that are free, then you’ll really like this tool from Avepoint and the International Association of Privacy Professionals (IAPP).
Review and update data retention policy
With every compliance regulation since the history of having 20 seconds to comply, documentation is key. You likely already have a data retention policy in place (if not, then you need to get one), and so now is the time to review it and update where necessary. GDPR requires you only to keep personal data for as long as you actually need it. And if you don’t need it any more, then purge away. Other compliances that apply to your organization are relevant here too, as their data retention requirements may already stipulate for how long you need to keep personal data. It’s worth calling out here a question that many people are already asking – what about the (misnomer-ed) “right to be forgotten”? The Internet Commisioner’s Office (ICO) in the UK have released some excellent guidance on this topic that clarifies what the right to erasure actually entails.
Review and update access control
From a security point of view, limiting user access privileges to systems and information is called out in a whole host of different frameworks. When you are thinking about securing your environment for GDPR, you need to ensure only users who need access to personal data have access to that personal data, and again you need to have solid documentation covering this. It’s fair to say that not all organizations have historically had a good handle on access control. Granting application administrative privileges to a user has been a surefire way to get a helpdesk ticket closed quickly when they’ve reported an inability to perform a task. Revoking privileges when an employee leaves is another area that can sometimes be left wanting.
You also need to think about which devices can access your network, as in our BYOD world it’s relatively easy for users to transfer personal data onto a whole host of unmanaged devices. Giving your access control policies a periodic good wash and brush is something you should be doing anyway, but documentation alone doesn’t equal compliance (or security!). A myriad of technology vendors in the market today can help you solve access control challenges, such as Forescout for NAC and Cyberark for privileged account security.
Document your incident response processes
Articles 33 and 34 of the GDPR bring in mandatory personal data breach notification and communication. If you are unfortunate enough to have lived through the pain of a breach, or even if you haven’t (but have no doubt lived them vicariously through the seemingly daily news reports), then you’ll know the importance of an incident response plan. Whether you’ve got a security operations center deep in a mountainside, or you’re an IT/Security ninja army of one, and indeed anything in between, then you need to have an incident response process in place. Remember paper, that thing we all try to avoid? It has a very valid use here – if you only have your processes in electronic format then you may not be able to access them at the time you need them most. Print off your incident response processes, and make sure you put them somewhere you can easily locate them.
Overwhelmed over the thought of building out an incident response plan at your organization? Check out our incident response services, we would be happy to partner with you.
So, in summary, there’s potentially plenty to keep you occupied this month as you continue on your GDPR journey. If you’re looking for further information or advice on how to proceed please do check out our GDPR toolkit.
Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.