With all of the buzz of General Data Protection Regulation and the fast-approaching compliance deadline, it can be difficult to navigate the flood of information and ensure that you’re prepared. In this blog, we’ll dive into an overview of what GDPR Compliance is, how it can impact your organization and what you need to do to ensure that your organization is ready.
Background on GDPR Compliance
The European Union (EU) took up the issue of individual privacy in 2012 with something called the General Data Protection Regulation (GDPR) which was intended to strengthen protection for individuals in the EU and give them greater control with how their personal data is being used. In 2016, a more formal set of policies was established that directed organizations doing business in, or with, citizens of the EU to provide compliance with GDPR standards by May 25, 2018.
The policy issues strict provisions that mandate businesses use controls to protect data and treat personal information with privacy for all EU citizens. More specifically, it relates to user metadata like geolocation, IP addresses, management of browser cookies, and other operational elements. It also pertains to more personal information about a user’s race, sexual orientation, ethnic group, political affiliation, and other highly sensitive data. It also will enforce guidelines about the exportation of personal data outside of the EU.
While this is all good news for users and their privacy, it is creating challenges for businesses who are fast approaching the springtime deadline. At the risk of sounding overly dramatic, there is a potential crisis looming; Gartner published a study that indicates more than 50% of companies affected by GDPR will not meet the May deadline, yet PWC says that it is the top compliance priority for 92% of U.S. organizations.
We recommend a strategy that includes the following five key elements that ensure comprehensive adherence and long-term management:
ONE: Assess your risk now
Microsoft advises taking steps to centralize, protect, and comply within the cloud. Recommended steps include simplifying processing into a single system, protecting data with industry-leading encryption, and utilizing services that already comply with complex, internationally recognized standards to more easily meet new requirements. Microsoft provides many tools to assess your environment and expose areas of vulnerabilities so that you can respond accordingly. Leverage guidance from security experts to help you meet your privacy, security, and compliance goals.
SADA’s team of cloud security experts can help you quickly understand how close (or far) you are from meeting the GDPR deadline, and assist in providing recommendations for being able to operate according to a long-term plan that is compliant. We encourage you to connect with us about how to protect your current business and technology investments and prepare to thrive in the future of GDPR.
TWO: Get specific about goals and actions
One criticism of the standard is that there is a lot of gray area, and for companies scrambling to comply, they are simultaneously challenged with having to interpret the meaning behind much of GDPR’s language. Many are confused about the overriding principle that states companies have to provide a “reasonable” amount of protection for personal data. Yet, no definition of “reasonable” is to be found within the standard, which means companies must aim for a target without a bullseye.
The initial phase of compliance readiness is to assess your current state of security, and then compare with GDPR recommendations. Use the information you learned from your risk assessment to initiate your plan. Because there is some vague language in the standard, you will need to define for yourself what constitutes successful progress towards the standard’s requirements, but be rigorous in applying security controls.
THREE: Create a long-term strategy
The key challenge for companies is to first become GDPR compliant, but secondly, and of equal importance, they must maintain continuous compliance in order to function under EU law. This two-part aspect of GDPR places the burden of detection and management on the owner of the data, which means a completely new discipline has to be embedded into an organization’s IT department and across all business processes. Doing all of that while continuing to run businesses in parallel is a massive burden; many will undoubtedly show strain in their performance and finances as a result. Diligent organizations will partner with seasoned experts who can address GDPR as it relates to both business processes and technology resources.
FOUR: Identify a partner who knows your business and adopt the right tools
With time running out, many organizations are turning to business and technology consulting firms like SADA Systems because of their domain expertise in compliance requirements and their ability to help implement them both at an IT infrastructure and organizational behavior level within companies. Those who choose to go it alone soon realize that interpretation of the standard is, by itself, daunting and elusive; GDPR readiness is part art and part science. Experience goes a long way in understanding both what to do, along with the most efficient ways to do it.
Some solutions are particularly equipped to support GDPR compliance obligations. Microsoft Enterprise Mobility + Security and Office 365, among other Microsoft products, come with certification across a variety of compliance standards, GDPR among them. SADA compliance experts have used these tools to assess risk against the existing compliance and security postures within organizations, and are able to use them to rapidly employ GDPR-specific controls. These tools are core to an organization’s infrastructure and can be used to adapt to the standard’s requirements with minimal disruption.
Formation of business processes, change management, and configuration of multiple technology resources may get you a passing grade on May 25, but it’s critical that within the overall effort is the longer term goal of maintaining ongoing, continuous compliance. This is a critical piece when choosing a partner to help implement GDPR; the long view on technology and business change that SADA brings to clients has been formed through many iterations in business and technology cycles over the past 17+ years the company has been operating. Our security experts design solutions for an organization’s growth and not just to achieve short-term milestones.
FIVE: Don’t neglect a long-term strategy
SADA works with customers to first assess their existing risk. From there, we break down internal processes and IT resources to understand controls and governance and begin mapping needed changes across different categories. We look at marketing, sales, finance, manufacturing, operations, and other business groups and create the necessary changes needed to ensure adherence among all activities.
But, as we mentioned earlier, this is not just a deadline-based action. GDPR is here to stay for any organization doing business in the EU, and it will require ongoing maintenance and updates to standards changes and modifications.
Don’t delay! The May 25th deadline is fast approaching, but with the right mix of foresight, consulting expertise, and willingness to push forward, it is an achievable goal and one that will help your organization create or maintain a competitive advantage in the market.
Click the link to access a whitepaper that explores GDPR and its implications for organizations, how Microsoft 365 can help your organization approach GDPR compliance, and what you can do get started today!