When it comes to the new EU General Data Protection Regulation (GDPR), there are obligations your organisation must fulfil to ensure you are compliant when GDPR comes into full effect on May 25th 2018.
The media is alive with advice on what you need to do and, with less than nine months left, organisations should be well along the way. The below 10 steps (taken from a combination of legal lists I've read to date) provide organisations with a starting point on their GDPR compliance journey:
This list isn't exhaustive. Governance, risk management, and compliance professionals will go deeper and wider than this. There are many vendors making claims that they can help you with some or all of these steps. These steps represent the fixed cost of GDPR and must be completed by your organisation in order to be compliant and to demonstrate that compliance.
Security plays a role in the variable costs of GDPR, which is what many vendors will lead with, considering the eye-watering size of fines that can result from non-compliance. But in fact, security gets very little mention in the text of the regulation other than that GDPR requires controllers to implement reasonable and appropriate 'technical and organisational measures' to ensure data security.
Among the recommendations you will hear from security vendors, pseudonymisation is often cited as a security measure that can help a controller meet data security obligations as well as data leak prevention and a host of other measures for protecting data at the data subject level. However, the advice you almost never hear is to first minimise data breaches. This would seem to be a self-evident truth, but the rush to a 'detect and respond' approach to security says otherwise. It's a losing strategy both in terms of the current ransomware bubble and also in longer terms of compliance with data protection regulations like GDPR. Before a breach happens, this is the last time you have freedom of will. After the breach, you are confined to tracks dictated by compliance for forensic investigation, notification, and cleanup/consequences. Each of these has a cost, and in the case of reputational damage and GDPR-related fines, this can be a considerable cost.
Many organisations are being advised to concentrate their efforts on the variable, and therefore open-ended, side of GDPR compliance by looking almost exclusively at the response side of the data breach equation. By ignoring the breach prevention side of the equation, organisations are missing an opportunity to reduce and control the variable costs that are associated with losing personal data. Instead, a better strategy is to invest in prevention technology to help stop breaches in the first instance. If you can stop the first domino from falling, you can save a whole lot of time and money.
By preventing 99% of cyberattacks and data breaches, Cylance® helps eliminate the high-cost regulatory chain reaction. By using the power of artificial intelligence and machine learning, Cylance® can predict known and unknown attacks, proactively prevent malware execution and exploits, and prevent data breaches to protect your business.
Head to our GDPR hub to find out more about Cylance® and Softcat's GDPR services, speak with your Softcat account manager, or get in touch using the button below.
We would love to hear any comments you have about this article!