GDPR: How to Prepare in the Calm Before the Storm

Wake up! There’s a new data security regulation on the horizon, and it promises to have a big impact on organizations around the globe. The General Data Protection Regulation (GDPR) was signed into law last month, leaving a scant two years for businesses to evaluate their security gaps and fix them in time to be compliant and avoid some extremely hefty fines.

The storm clouds are gathering. Read on so you can prepare sufficiently and come out the other side stronger — and more trusted by your customers — than ever.

What Is GDPR?

GDPR will be replacing the current EU Data Protection Directive over the next two years. 2018 will mark the beginning of widespread unification and standardization of data privacy requirements across 28 EU member states.

This new legislation is a step in the right direction: It unifies the patchwork of 28 different privacy laws into one regulation applicable to all. This regulation certainly impacts businesses in the European Union, but it also directly affects any organization that markets to, and processes information of, EU data subjects.

As previously reported, GDPR “will enact stricter guidelines on getting consent for data collection, individual profiling and more comprehensive definitions of data. It all points to a new imperative to manage data at a granular, data-element level by understanding where the data is located, where it flows, with whom it is shared, what consent is given and when data must be deleted.”

GDPR also requires breach notification without undue delay and, where feasible, within 72 hours. Few EU countries currently have regulations on breach reporting, so this is a big change.

Don’t Wait, Take Action Now!

Don’t wait for the GDPR storm to take you by surprise! There are three steps you should take to be prepared.

1. Evaluate Your Environment to Know What Needs Protecting

To safeguard data successfully, organizations must know what data exists and whether it contains personal information.

Under the GDPR, it will be essential to show that data is secured properly according to its sensitivity and classification. Discover and classify customer data so that you can understand the who, what, when, where and how of personal data access across all major platforms.

Understand your data retention policies, find that dormant data and remove it. Disks have become so inexpensive these days that organizations keep far too much personal data hanging around, which increases risk and can make it harder to act when a delete request comes in from a customer.

Clean house before the storm hits! While you’re at it, appoint a data protection officer (DPO) — someone who can help review all privacy notices and consent forms. This role keeps you on the right path toward compliance, reviewing external contracts and any cross-border data transfer issues. The DPO’s role is to ensure that controllers and processors respect their data protection obligations, and that data subjects are informed of their rights and obligations.

GDPR is not just for Europe — it is for any organization that processes, collects or uses personal data relating to EU subjects. So it probably applies to you.

2. Be Proactive by Building an Emergency Kit

Your emergency kit isn’t necessarily filled with physical items; it should also include security audits and tools that help ensure data protection techniques are held to the highest standard possible.

  • Conduct a GDPR readiness assessment to establish whether you are GDPR-compliant and identify which gaps must be filled.
  • Gain an understanding of the types of data protection required by GDPR (e.g., encryption, redaction and masking) and when they should be used. You should also have knowledge of the types of platforms across which customer data is scattered across — and whether your existing security solution can support them all.
  • Support real- and right-time data monitoring and alerting to meet mandatory GDPR audit, incident response and breach notification requirements.
  • Ensure you have a trusted partner that can help provide on-site support with specialized knowledge, data mapping and classification to help to deploy the right types of protection.

3. Stay Tuned for Emergency Updates

Organizations will have to stay connected to learn about the progression of the GDPR, as well as any other related data protection initiatives. A trusted services partner will be key to remaining in front of any new developments, for example. Enterprises should also watch websites such as the European Commission for any news.

Right now it’s the calm before the storm. Use this time to proactively prepare and watch the storm roll in knowing that you’ve taken the right precautions. Once it’s here, you’ll be glad you did!

Learn more about preparing for the GDPR

Share this Article:
Christina Thompson

Portfolio Marketing Manager, IBM

Christina Francese Thompson is a Portfolio Marketing Manager for IBM Security Guardium on the Security Marketing team. She initially joined IBM 11 years ago and assumed a lead role in market analysis, product planning, go-to-market planning, and sales execution related to the on demand operating environment solutions. Over the years she was responsible for marketing various IBM Tivoli Solutions. Prior to joining IBM, Christina graduated with a Bachelor degree from the Lowry Mays Business College at Texas A&M University, where she majored in Marketing and Business Management. Christina currently resides in San Antonio, Texas.