Are we there yet? Or, more to the point, are you there yet?
Wait — which “there” are we talking about? Unless you’ve been hiding under a rock for the past year, you probably know that I’m talking about GDPR readiness. It’s likely you also know that GDPR enforcement begins on May 25 — which is less than 90 days away.
Over the past six months, Adam Nelson and I have been blogging about GDPR readiness. We’ve discussed the downside of procrastinating, the thinking behind the IBM Security GDPR framework, assessing your current GDPR readiness situation, designing your approach to transforming your organization’s practices and operationalizing your GDPR readiness plan. So it’s likely you have at least some idea by now about how to get there.
But how do you know if you’re actually there? When Adam wrote last month about operationalizing your GDPR readiness plan, he discussed the process of putting a plan into action. Once you’ve done that, you’re on your way to being ready to demonstrate that you’re doing all the things that GDPR says you need to do. In other words, being “there” means being able to show that you’re conforming with the regulation.
We’re talking about being able to provide evidence that you’re doing what you said you would do. For example, you should be ready to:
- Prove that you’re observing data subject rights, and showing reports of the actual requests and proof of how and when they were fulfilled.
- Show records of processing that illustrate how and where you obtained personal data and how it was handled throughout its life cycle — including how you disposed of it.
- Offer evidence that you conducted a data protection impact assessment (DPIA) — which is required in cases where there is a high risk to the rights and freedoms of the data subject, but is additionally recommended as a best practice for all.
Proving Your GDPR Readiness
Once you’ve checked those boxes, you should also be prepared to prove your GDPR readiness as needed. It’s possible others may log complaints against your organization just to get you to show them your processes. Fortunately, IBM Security Guardium Vulnerability Assessment can help you in that area. It provides prepackaged tools, such as prebuilt templates for GDPR-specific groups, GDPR-specific policies and GDPR reports, all based on the IBM Security GDPR Framework. And IBM Guardium GDPR Accelerator can help you track and provide detailed audit trails on data subject access requests such as access to personal data and data rectification, erasure or transfer.
You should have some type of security reference architecture in place so you can show how you implement policies and put them into practice. And you will want to be able to show how you log incident response and reveal what your patching processes look like. In addition, implementing a security immune system can help provide a more holistic view of security threats by integrating threat information from a variety of sources and infusing analytics. You may also want to consider taking advantage of artificial intelligence (AI) to help augment security expertise.
Because GDPR is designed primarily to improve data privacy, you’ll notice that the larger fines apply to privacy violations. These include violating basic principles for processing under Articles 5, 6, 7 and 9, data subjects’ rights under Articles 12 through 22, and transfer of personal data to a recipient in a third country under Articles 44 through 49. That means you might want to pay extra-special attention to data subject access trails, data subject access requests and incident response. In fact, I’ve noticed that many organizations aren’t as focused on incident response as they should be, which could turn out to be a big mistake. For help in that area, you can check out the IBM Resilient Incident Response Platform, which offers a GDPR-specific template.
And let’s not forget about your vendors. Have they provided you with information about where they process their data, who touches it, and what technical and organizational measures (TOMs) they use? What’s more, have you told them what you require? You may want to take this opportunity to look over your vendor contracts to determine whether any of them need to be updated to include GDPR-related concerns.
It’s Not Too Late to Create a Sustainable GDPR Plan
Of course, I realize that some of you reading this may not be anywhere close to “there” yet. But while there’s not a lot of time left to get all the pieces in place, there is still time to put some key policies in place and create a sustainable program that you can build on. You can learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.