4 Steps to get GDPR compliant

The General Data Protection Regulation (GDPR) is a major advancement in data protection law and will significantly impact your business. If you have clients in the EU, you are already affected and be responsible since the 25th of May 2018. That said, most companies still don't have a consistent plan to get to compliance as the Forrester Report "You need an action plan for the GDPR" states.

So why should it concern you to have everything in place?

Consequences of Non-Compliance

Failure to meet the requirements across all of these environments can result in a number of significant consequences:

• Penalties of up to 4% of annual revenue or €20M – whichever is higher for most serious infringements.
• Tiered fines of up to €10M or 2% of revenue (whichever is greater) for smaller infractions.
• Exposure to the potential of class action lawsuits from end-users whose data has been impacted.
• Risk of lost customers, lost revenue, and damage to the corporate brand/reputation.

Keep in mind that non-compliance penalties and fines are not one time punishments. They can and will be checked until you get compliant and you can get them over and over again for all infractions!

The regulation states that organizations must have a formal process in place to restore the availability of, and access to, personal data in a timely manner in the event of any physical or technical incident.

Does your organization have the ability to locate all instances of personal data pertaining to a given data subject?

Are you prepared to recover data in a timely manner with proof that the information is accurate and the process is repeatable?

If you answered no, you are not alone:

• 94% of US CIO's have data that is impacted
• Only 60% of US respondents have plans in place to respond to the impact of GDPR
• Only 19% of UK companies have such plans prepared

If you have to catch up on the GDPR, you can have a look on the GDPR Portal or the official EU Website.

Where to start and what to do next?

Try a GDPR self-assessment based on people, process, and technology. If you missed a point, get it fixed. I will mention here all parts which you might have done already, but focus on technology, since this is my area of expertise. You will find the four steps for your Technology compliance below.

People

Assess your readiness by first looking at the “people” side of the equation and asking the following questions:

1. Are your employees aware of GDPR?
2. Do they understand it’s importance, and the ramifications of non-compliance (fines, reputational loss, etc.) if your organization fails an audit?
3. Have your people been trained on GDPR?
4. Do they realize that almost everyone in the organization is responsible for GDPR compliance in one way or another?
5. Are steps being taken to make compliance an on-going activity (GDPR is not going away)?
6. Have they “bought into” the regulation, and understand that GDPR instills practices that are just good business in a world where security breaches are commonplace?

As you assess your readiness from a “people” standpoint, I have a few suggestions to help. First, drive GDPR awareness from the top of the organization on down. Executive sponsorship will be key, and buy-in must be obtained in all areas at all levels. Compliance needs to become part of the organization’s culture, and almost everyone is responsible for it, not just your Data Protection Officer (should you need one). Develop and roll-out awareness and training programs that are specific to the roles of your employees. Make it understood that GDPR is not just a company programm; it is a very important, on-going activity. Performing a self-assessment and documenting results and action plans could also help you build a defensible position to use with an auditor should a breach occur.

Process

Assess the personal data you have, and determine which falls under the jurisdiction of GDPR. For GDPR purposes, personal data (PD) is defined as information that allows a physical person to be directly or indirectly identified, i.e. name, phone number, IP address, etc. Document the processes you use to manage data that is subject to the regulation. Look for areas where data security could be exposed, develop plans for closing gaps, and then manage and track execution. This could also help you build a defensible position if a breach were to occur.

Technology

The third component of your assessment should be based on technology. However, GDPR does not specify which technologies should be used for compliance, but Article 32 states that “Taking into account the state-of-the-art….implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”

My suggestion is to assess the technologies you use to manage data security, identify gaps, develop an action plan to close those gaps, and then manage execution. You will likely find that no one technology vendor can fill every gap, but here are some areas where BMC can help:

• GDPR requires Data Portability, meaning that subjects have the right to receive their data from your organization and transfer it to another. To do that, you need to know where that data resides. BMC Discovery solutions can help you understand where your information is stored and eliminate blind spots (servers that you do not know about, and that could be vulnerable to a security breach). BMC also offers solutions for securely managing and automating internal and external file transfers. To learn more about how BMC Discovery can help your on your Compliance Journey, and how else it will help your Business, you can read my previous LinkedIn Blog here.
• GDPR mandates Security of Data Processing – personal data is protected in a manner that ensures appropriate security including protection against unauthorized processing, accidental loss, destruction, or damage. To help satisfy this requirement, BMC SecOps solutions can improve the security of servers and networking devices and manage security vulnerabilities.
• Another GDPR requirement is centered on Data Privacy by Design – data protection is included from the outset of designing systems, products, and services. BMC’s SecOps Policy Service can help you find and correct security exposures early in software development and cloud operations processes, including multi-cloud.
• A key part of the GDPR regulation is making sure your mainframe data is recoverable in a timely manner. BMC offers a mainframe backup and recovery solution that can estimate, simulate, and show that your data is recoverable in a timely manner.

4 Steps for your Action Plan in Technology Compliance

1. Visibility. Visibility into all of your data center, public cloud, and private cloud assets is a must. To meet the needs of GDPR, IT needs the tools to implement ongoing discovery processes in order to know with confidence where sensitive customer data resides, where and how it is being processed, and by whom. Before you can tackle GDPR, you need to know with confidence where sensitive customer data resides. For visibility into all your data center, public cloud, and private cloud assets and their relationships BMC offers the most comprehensive discovery solution in the industry with automated mapping of compute, storage, network, and software regardless of where it resides.
2. Security. The activities of security, operations and development teams must be aligned to maintain security and compliance. Security blind spots must also be identified. The right solutions are needed to analyze and prioritize security threats, automate remediation, and reduce the cost of continuous compliance. GDPR mandates that you have a provable process in place to ensure data integrity. With the explosion of new applications saving unstructured data, such as photos and recordings, as Db2 Large Objects (LOBs), the risks of data corruption and loss have increased. Now you can manage and validate unstructured data automatically to ensure that data is intact and in compliance with GDPR.
3. Integrity. With GDPR, data needs to be available with integrity. IT must monitor and ensure that data integrity, validate structured and unstructured data automatically, and ensure that stored data is intact. Current tools and processes leave most organizations hard pressed to prove they comply with "state-of-the-art" security measures or are working to include "privacy by design" as GDPR requires. BMC provides the only security and compliance solution to deliver the ability to automatically link vulnerabilities to identified patches and create an attack plan to deploy countermeasures with a single click.
4. Recovery. Organizations need to ensure that data is recoverable in a timely manner in the event of any physical or technical incident. The recovery requirements are best met with tools that can automate and simplify recovery tasks and provide a backup and recovery solution that can estimate, simulate, and prove your recovery in a timely manner. Current approaches and limited resources mean that many organizations are not able to support the GDPR mandates for data recovery. BMC is the only vendor with a complete mainframe backup and recovery solution that can estimate, simulate, and prove your recovery in a timely manner to ensure compliance.

Essential capabilities for GDPR compliance can be found in all detail in this Whitepaper.

Even if you have some of the points above fully or partially covered, it is important to be able to report and prove it. Most companies might have points 3-4 in some way covered, but the necessary Basis of deep inside and automated reporting with a single Source of Truth is missing. The reason is simply, that there are few Provider for a comparable solution to BMC Discovery.

Wether you just start your Compliance Journey in Technology or you want to ensure you have the full picture and mitigate Risk and Compliance Cost to a minimum, you should ask me about BMC Discovery