How to Tackle GDPR Compliance in Ten Steps

By Michael Trachtenberg, CTO, Maureen Data Systems

The looming GDPR deadline is fast approaching, and as per usual when it comes to tedious (yet necessary) regulations such as this one, organizations have procrastinated and are now looking to quickly become compliant before the May 25th, 2018 deadline. That being said, certain companies aren’t at fault for this last-minute scramble. Organizations who were originally thought to be exempt from the largest data overhaul in recent history (such as companies that aren’t located in the EU, but house data of an employee, contractor, or customer that reside in the EU) must still be GDPR compliant. Long story short, there is no denying that we all will have to eventually comply to GDPR. In order to make this process more manageable, MDS has come up with 10 actionable steps that your organization can take now in order to avoid the substantial fines that come along with non-GDPR compliance.

10 Steps Towards GDPR Compliance: 

1. Discovering people’s personal information traveling through the organization (Article 30 - Maintain an inventory of personal data)

  • Document the location and usage of personal information in the organization (Names, email, address, anything that can be used to identify a person at all)
  • This could be information in files, databases, email, unstructured data, backups, DMS, knowledgebases, or anything else that houses data
  • Leverage ediscovery, advanced ediscovery, Content search, role miners, network discovery systems, AI behavioral based discovery tools, crawlers, and good old-fashioned eyeballs

2. Discovering people’s personal information for data at rest (Article 8 - Integrate data privacy)

  • Manually or automatically mine this info
  • If you are using the SaaS or public clouds, these providers should have tools for you, if not you may want to look at using a different service, or at least something that can integrate into an API to find this info
  • Use document management solutions, data classification systems, or application \ network traffic analytics tools to find this data
  • Typically, discovering personal data at the time of access is easier and retroactively mining data at rest is harder, but still necessary here
3. Discovering tools that people are using within the organization that may contain personal information or can be used to move or transport it

  • Through the use of proxies and locally installed agents, get to know everything that people are using in the organization. This could be from an application and public\private cloud prospective
  • Leverage systems that help to discover Shadow IT, such as a CASB solution or forward \ reverse web proxies

4. Classifying data containing personal information (Article 32 - Maintain measures to encrypt personal data)

  • Using the information previously discovered, leverage a content management solution to encrypt individual pieces of content based on discovered data
  • Ideally, a solution with content level encryption for a wide variety of content types based on data classification and metadata is preferred
  • Leverage database encryption
  • Leverage API transaction encryption
  • Enable communications encryption across the network and on the application level if possible for multinode or home \ endpoint applications
  • Leverage partial or full disc encryption
  • Prevent the use of unencrypted media such as unencrypted USBs

5. Protecting PI classified data on the move (Article 32 - Maintain measures to encrypt personal data)

  • Use content level encryption
  • Use encrypted email
  • Implement transport rules to catch email that is being sent and gets encrypted based on classifications
  • Leverage secured sharing links
  • Build or leverage secure file sharing with external parties (Unencrypted FTP? get rid of it)

6. Protecting PI classified data on the way out (Article 32 - Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring)

  • Block the sharing of encrypted content
  • Block the upload of encrypted content to public or unmanaged clouds
  • Don’t use FTPs
  • Deprecate previously shared unencrypted links or previously non-secured access
  • Implement DLP solutions that can leverage classifications and encryptions

7. Manage access to data and data storage (Article 39 - Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions)

  • Leverage Role Based Access Control
  • Take a least privileged permission approach for data access
  • Implement a data governance strategy
  • Look broader to a full Identity and Access Management platform
  • Think internally and externally and remember about 3rd parties and sub-contractors
  • Access and IAM needs to apply to them also
  • GDPR will cover the transfer of data between all of these data owners\processors\holders

8. Protect access to PI data and data stores

  • Isolate personal data and protect it with privileged access management 
  • Add layers of security to that access with multi-conditional based access and multi-factor authentication
  • Implement just in time and just enough access

9. Gain insights and report on data and data policy enforcement (Article 33 - Maintain a log to track data privacy incidents/breaches)

  • Get this information into dashboards
  • Reporting, reporting, reporting Use the built-in systems in the products you own and have implemented, set up reports generate knowledge around all of the data that has been classified, protected, contains personal information, has migrated anywhere, and is accessed

10. Bring it all together for compliance!

  • Combine everything technology wide from steps 1-9 along with HR and Legal policies and procedures around the use of personal information, put all of this into a written document and be ready to share that with vendors and partners
  • Some of these tasks may seem daunting and overwhelming, and as the first regulation of its kind, it is impossible to get every aspect of this regulation complete by the deadline. 
  • That being said, you need to make concrete steps to show that you’ve committed to eventually making your organization fully compliant with GDPR.
  Final Takeaways:

  1. Necessity is the mother of invention
  2. Do not wait any longer, get started and get started now
  3. Working towards compliance is always better than being caught with your pants down

With MDS you always have a compliance expert in your corner. One of our certified engineers will act as a trusted advisor to guide your organization through towards GDPR compliance while improving your overall data infrastructure and security in the process.   

Failure to meet Compliance Standards can Result in Criminal Penalties

Ensure your company isn’t penalized for not being compliant - contact a MDS expert today!

Share This