At first glance, it may seem strange to be asking you where you are in your GDPR journey when enforcement for the regulation begins on May 25 — which is now less than 60 days away. After all, GDPR was approved way back in April 2016, and here at IBM we’ve been talking and blogging about it virtually ever since then.
Of course, we all know that there’s a huge difference between talking — or reading — about something and actually doing anything about it.
Last month, we discussed knowing whether you’re truly GDPR-ready. If you’ve already determined that you are ready, congratulations! But you might want to continue reading anyway just to see if there’s anything else you’d like to consider. But I’m guessing there are a lot of you who aren’t quite ready. And that’s why I started out today by asking where you are in your GDPR journey.
Yogi Berra once famously said, “If you don’t know where you’re going, you might not get there.” What’s that got to do with GDPR? Well, it’s pretty hard to get started if you don’t know what your obligations are or where your gaps are lurking. So I strongly suggest that you start with a readiness assessment. It offers a structured approach to developing a maturity assessment, gap analysis and road map that can help you see what’s most important and jump-start your efforts.
You can also take advantage of the readiness assessment for further guidance on managing your ongoing GDPR program and recommendations for additional services as you move forward. Remember, managing GDPR needs to be an ongoing, sustainable program.
In a hurry? You can start with an online self-assessment that allows you to answer a series of questions about what you’ve done so far and provides you with a customized list of the steps you can take next. What’s more, you can take advantage of an accelerator to help you identify your organization’s personal data, determine where it resides and begin to assess the security risks associated with that data.
I’ve heard many stories of well-intentioned but time-pressed security teams attempting to use spreadsheets to manage their GDPR record-keeping activities. As most of them soon discovered, spreadsheets just don’t offer a sustainable solution. Those spreadsheets aren’t always kept up to date and they’re not capable of managing or measuring risks. But the critical data protection program from IBM can help you identify and define your most valuable data, perform gap analyses, monitor your security framework, analyze and classify the most important aspects of your information, and create a risk remediation plan.
And using a data risk manager can help you identify and stop potential risks to personal data and sensitive business data that may impact business processes, operations and your competitive position. The overview page of IBM Data Risk Manager displays a world map showing the locations of your data assets so you can actually see where your important information resides. It can also help with GDPR data transfer requirements as you move information from one place to another.
In addition, GDPR mandates that you be ready to take action when the need arises. Let’s say that one of your key data sources that is known to contain large quantities of personal data has generated multiple alerts. At this stage, it’s important to quickly identify your risks and take the appropriate steps to address them. One critical area of risk involves user access — weighing the difference between who has access against who needs access. It’s good practice to regularly review access rights to both data and applications using purpose-built tools and make sure you have recertification campaigns in place. That will help you identify and mitigate situations in which an individual may have moved to another department, for example, and no longer needs access to that data.
Everyone involved should know who has responsibility for what. And you need to confirm that those who are responsible are the ones who should be responsible. Because having a policy in place is great — as long as you’ve actually put it into practice.
Up until now, we’ve been talking primarily about the processes for managing and protecting your data. But what if, despite your best efforts, something goes wrong? Incident response is a critical part of GDPR requirements, since you’ll need to be able to meet that 72-hour breach notification deadline. And it seems to me that people aren’t paying as much attention to this as they should.
At the same time, you might also want to consider establishing key performance indicators for incident response — and then set up tests and drills to “practice” meeting them.
Identity management is also critical at this point because GDPR readiness isn’t just about data-related risks — it’s also about who has access to your data. So you need to have repeatable, regular mitigation processes in place — before you have an incident on your hands. In fact, identity is important across the board. Think about data subject access requests (DSARs) and the increased risk of fraud, for example. An individual could pretend to be someone else, go to a website and gain access to all of that “someone else’s” medical information. If it’s all in one place, a single password can let someone download it all with one click. That’s why multifactor authentication is so important. Is your organization thinking about these issues? It seems to me that many aren’t.
And finally, don’t forget about those who handle your data outside your company. Are all the necessary contracts in place regarding your organization’s data processors and their obligations? Do they have regular processes in place to make sure they’re following all the applicable procedures? Your GDPR program management office should be in charge of creating and maintaining a sustainable structure.
Now that I’ve outlined the things you may still need to do, I want to assure you that it is all doable. Just consider how you can leverage tools and processes you already have and add capabilities where you need them. I’ve seen plenty of organizations go through the process from beginning to end — and they’ve all survived to talk about it. There’s plenty of help available along your journey. Just remember to stop and ask for directions.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.