-or- All I Want for Christmas is to be GDPR compliant<\/p>\n\n\n\n
The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and is considered the most significant regulation regarding data protection in the past 20 years. It will give greater rights to citizens over their personal data, as well as force companies to maintain greater control and management over the data they collect.<\/p>\n\n\n\n
So, as the end of year approaches and our holiday wish lists are being made for Christmas and the new year, an important list to make is your organization\u2019s compliance with GDPR. When it comes to GDPR compliance with Salesforce data, any organization who holds personal data on a European Union citizen will need to be compliant.<\/p>\n\n\n\n
One of the first thing you want to do within your organization is a Data Protection Impact Assessment. Inspired by the recommendations from the Article 29 Working Party for a Data Protection Impact Assessment (DPIA), the following are some of the key steps organizations should take to be compliant with upcoming GDPR guidelines. The Article 29 Working Party (Art. 29 WP) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.<\/p>\n\n\n\n
Odaseva created the following GDPR holiday wish list so that organizations can check it twice to help them on their journey to be GDPR compliant, particularly in terms of the technical and organizational measures needed to safeguard the security of personal data (Article 32 of the GDPR).<\/p>\n\n\n\n
It\u2019s important that each organization informs anyone processing data about GDPR rules and restrictions. Write an information technology charter with GDPR rules and give it binding force. Make sure you include partners and contractors in your communication if they are processing personal data from your systems.<\/p>\n\n\n\n
If your organization has not appointed a Data Protection Officer (DPO), it\u2019s time to involve your HR department and add the DPO on top of your 2018 recruitment priorities. The DPO should, at the very least, inform employees, the data controller and data processor about compliance regulations. He\/she should also monitor compliance and provide advice for a data protection impact assessment. Next, he\/she should monitor performance and cooperate with the supervisory authority when necessary.<\/p>\n\n\n\n
Defining access profiles is an essential part of managing access rights. Deleting obsolete access rights is also important. Each year an organization should also review the access rights and make necessary modifications.<\/p>\n\n\n\n
This may seem like a no-brainer, but it\u2019s important to implement a strong login system. You should also write procedures for notification of personal data breaches, if and possibly when they occur. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.<\/p>\n\n\n\n
Your data is only as safe as the people working with it. Be sure your employees work on safe workstation that have an automatic session timeout procedure. Implement all the state-of-the-art security measures including using an anti-virus and make sure it is regularly updated, install a firewall and collect user consent before any action on his\/her workstation.<\/p>\n\n\n\n
Mobility has become a staple of today\u2019s workforce with the BYOD trend, yet also causes security vulnerabilities. It\u2019s important to encrypt all mobile devices and carry out backups and regular data synchronizations. Also, enforce a password policy for unlocking smartphones.<\/p>\n\n\n\n
Limiting network flows to the strictly necessary can help shore up your security and compliance. Portable devices should have VPN to secure remote access. Also, leverage WPA2 or WPA2-PSK protocols for WIFI networks.<\/p>\n\n\n\n
Securing servers is also essential. Access to administration tools and interfaces should only be given to authorized personnel. It\u2019s critical to install critical system updates immediately, while also ensuring data availability.<\/p>\n\n\n\n
Websites can be the weak point for organizations, especially when it comes to phishing scams. Here are a secure website checklist :<\/p>\n\n\n\n
Secure backup and recovery is essential to GDPR compliance. Be sure you backup data regularly and securely store backup archives. Also, plan security measures for backups in transit. Once established, plan and test your backup system regularly for business continuity.<\/p>\n\n\n\n
Implement a specific access policy to archived data is an essential security measure. When it comes to data deletion, securely delete obsolete archived data.<\/p>\n\n\n\n
When old data is deleted, keep a record of maintenance activities in a log.<\/p>\n\n\n\n
Ensure internal supervision of third-party activities. Erase data from scrapped equipment<\/p>\n\n\n\n
Make sure they your service providers offer guarantees in terms of the security and confidentiality of your data. In addition, make sure that your own subcontractors in turn commit themselves to the safety obligations.<\/p>\n\n\n\n
Another security vulnerability is data exchange, especially when it comes to unsecure email exchanges. Be sure to encrypt data before transit and make sure the recipient is the person intended to receive the data. Send credentials separately using a different communication<\/p>\n\n\n\n
channel<\/p>\n\n\n\n
Physical security can be overlooked in today\u2019s digital world. It\u2019s important to restrict access to offices using locked doors and install an intrusion alarm system and test it periodically. Also, make sure personal data cannot been seen or taken by third parties visiting your office during a meeting.<\/p>\n\n\n\n
Use known algorithms, softwares and libraries to keep your data secure. Also, store passwords and encryption keys in a secured manner. Last but not least, make sure your data is encrypted at 3 levels: Network, Server and Data Encryption.<\/p>\n\n\n\n
Implement a process to quickly and efficiently locate where personal data is used and stored within the different software your company uses. Logically, until an organization fully understands the personal data it collects and stores, where it is located, and how it moves through and out of the organisation, it is not possible to protect it. Nor is it possible to fully comply with the GDPR.<\/p>\n\n\n\n