-or- All I Want for Christmas is to be GDPR compliant
The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and is considered the most significant regulation regarding data protection in the past 20 years. It will give greater rights to citizens over their personal data, as well as force companies to maintain greater control and management over the data they collect.
So, as the end of year approaches and our holiday wish lists are being made for Christmas and the new year, an important list to make is your organization’s compliance with GDPR. When it comes to GDPR compliance with Salesforce data, any organization who holds personal data on a European Union citizen will need to be compliant.
One of the first thing you want to do within your organization is a Data Protection Impact Assessment. Inspired by the recommendations from the Article 29 Working Party for a Data Protection Impact Assessment (DPIA), the following are some of the key steps organizations should take to be compliant with upcoming GDPR guidelines. The Article 29 Working Party (Art. 29 WP) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.
Odaseva created the following GDPR holiday wish list so that organizations can check it twice to help them on their journey to be GDPR compliant, particularly in terms of the technical and organizational measures needed to safeguard the security of personal data (Article 32 of the GDPR).
It’s important that each organization informs anyone processing data about GDPR rules and restrictions. Write an information technology charter with GDPR rules and give it binding force. Make sure you include partners and contractors in your communication if they are processing personal data from your systems.
If your organization has not appointed a Data Protection Officer (DPO), it’s time to involve your HR department and add the DPO on top of your 2018 recruitment priorities. The DPO should, at the very least, inform employees, the data controller and data processor about compliance regulations. He/she should also monitor compliance and provide advice for a data protection impact assessment. Next, he/she should monitor performance and cooperate with the supervisory authority when necessary.
Defining access profiles is an essential part of managing access rights. Deleting obsolete access rights is also important. Each year an organization should also review the access rights and make necessary modifications.
This may seem like a no-brainer, but it’s important to implement a strong login system. You should also write procedures for notification of personal data breaches, if and possibly when they occur. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Your data is only as safe as the people working with it. Be sure your employees work on safe workstation that have an automatic session timeout procedure. Implement all the state-of-the-art security measures including using an anti-virus and make sure it is regularly updated, install a firewall and collect user consent before any action on his/her workstation.
Mobility has become a staple of today’s workforce with the BYOD trend, yet also causes security vulnerabilities. It’s important to encrypt all mobile devices and carry out backups and regular data synchronizations. Also, enforce a password policy for unlocking smartphones.
Limiting network flows to the strictly necessary can help shore up your security and compliance. Portable devices should have VPN to secure remote access. Also, leverage WPA2 or WPA2-PSK protocols for WIFI networks.
Securing servers is also essential. Access to administration tools and interfaces should only be given to authorized personnel. It’s critical to install critical system updates immediately, while also ensuring data availability.
Websites can be the weak point for organizations, especially when it comes to phishing scams. Here are a secure website checklist :
Secure backup and recovery is essential to GDPR compliance. Be sure you backup data regularly and securely store backup archives. Also, plan security measures for backups in transit. Once established, plan and test your backup system regularly for business continuity.
Implement a specific access policy to archived data is an essential security measure. When it comes to data deletion, securely delete obsolete archived data.
When old data is deleted, keep a record of maintenance activities in a log.
Ensure internal supervision of third-party activities. Erase data from scrapped equipment
Make sure they your service providers offer guarantees in terms of the security and confidentiality of your data. In addition, make sure that your own subcontractors in turn commit themselves to the safety obligations.
Another security vulnerability is data exchange, especially when it comes to unsecure email exchanges. Be sure to encrypt data before transit and make sure the recipient is the person intended to receive the data. Send credentials separately using a different communication
Physical security can be overlooked in today’s digital world. It’s important to restrict access to offices using locked doors and install an intrusion alarm system and test it periodically. Also, make sure personal data cannot been seen or taken by third parties visiting your office during a meeting.
Use known algorithms, softwares and libraries to keep your data secure. Also, store passwords and encryption keys in a secured manner. Last but not least, make sure your data is encrypted at 3 levels: Network, Server and Data Encryption.
Implement a process to quickly and efficiently locate where personal data is used and stored within the different software your company uses. Logically, until an organization fully understands the personal data it collects and stores, where it is located, and how it moves through and out of the organisation, it is not possible to protect it. Nor is it possible to fully comply with the GDPR.
Once you know where personal data is stored, setup internal processes with rules and permissions to give access only to relevant employees who do need access. The first step in determining data limitations is understanding the data’s context. Typically, an organization’s data exists in three different environments with three different purposes: dev/test, production and data warehousing and analytics. From dev/test to analytics, data minimization requires understanding a business’s needs, then collecting, storing and using only the data that relates to those needs.
An important GDPR principle is data minimization. Data processing should only use as much data as is required to successfully accomplish a given task. Additionally, data collected for one purpose cannot be repurposed without further consent. When requesting personal data, first ask: “Do I really need this data point ?”
GDPR is a complex regulation that is forcing company to rethink the way they store, protect and manage data. Because of the complexity involved with GDPR compliance, it is often helpful for organizations to have a Data Protection Impact Assessment done to make sure they are on the right track moving forward.
To learn more, get our GDPR resource kit here: www.odaseva.com/gdpr