Story image

With the GDPR clock ticking, how ready is your organisation?

16 Apr 2018

With only a matter of weeks to go before the European Union’s new General Data Protection Regulation (GDPR) regulations come into force, many Australian organisations are still scrambling to achieve readiness.

After the deadline of May 25, any organisation holding the personal data of EU citizens will need to enforce privacy principles that cover any transactions occurring within the region. Data could include anything from name and address details to purchase records, health details and credit scores.

Many organisations began their preparations two years ago when the requirements of the regulations were made public, while others have left the work to the very last minute. Regardless of their current status, all organisations operating in the region will be expected have attained compliance by the May deadline.

The strategy required to reach this point will differ significantly between companies. Those that already have robust information security and privacy practices in place will have less work to do than those that don’t.

It will also be easier for organisations where legal, IT and audit teams are already used to working closely together. In these cases, there’s likely to already be an appreciation by senior management that protection of personal data is important.

Those organisations with a long way still to go may realise achieving full compliance by May will be difficult if not impossible. However, this should not mean nothing is done. Plans need to be put in place to get as much completed as possible before the deadline, and the remainder during the months that follow.

Forming a GDPR compliance team

One of the most important factors all organisations need to realise is that GDPR compliance is not simply a technology issue. Compliance requires input and effort from people across the business and a GDPR project team should include people from departments such as:

Legal: The regulations are complex and have an impact on many areas of operations. The legal team will be invaluable in assessing how it will affect the organisation and communicating this to all staff.

Marketing: These teams are likely to be collecting and using customer data in myriad ways, so getting them involved early in the process is vital.

IT: Reviewing data stores and security measures is an important component of GDPR readiness. The IT team needs to be aware of the implications and required steps.

Business units: All business units that handle customer data should also be consulted. They will understand how data is being used and from where it’s being sourced.

Progressing toward compliance

With only very limited time to achieve compliance with the new regulations, it is a matter of setting priorities and following them.

A first step should be the formulation of a comprehensive plan that covers all parts of the business and details all the steps that need to be taken. These steps should include:

  • Set up clear lines of communication with all parts of the business to fully understand how data is being collected, where it is being stored, and how it is being used. All subsidiaries and third-party suppliers must be included in this process.
  • Create a clear and comprehensive catalogue of all customer data being retained across the organisation, noting its sensitivity and applicability to the GDPR rules.
  • Gain a thorough understanding of data flows, both within in the organisation as well as to and from external parties. It must be protected at all times.
  • Put policies in place to ensure proper deletion of data once it’s no longer required. Old data stores pose an unnecessary risk for the organisation.
  • Understand consent and ensure customers are aware of when and how their personal data is being collected and used.
  • Realise that GDPR compliance is a task that is never fully complete. As companies grow and change their situation will have to be constantly evaluated and reviewed.

The importance of effective security

Alongside the structural and organisational shifts that will need to happen across an organisation, putting in place effective data security measures is a further vital step. Thankfully, these are unlikely to differ significantly from the measures that are probably already in place to protect other types of sensitive data. They include:

Access controls: Having effective access control should be a top priority. By ensuring only those people who need access to personal data actually have access to it, the risk of breaches can be significantly reduced. Adding encryption to stored data can further increase this protection.

Anti-malware tools: Just as these are used to protect many parts of an organisation’s IT infrastructure, so they will be important when it comes to GDPR, assisting to reduce the potential for external threats that could compromise the stored data.

Logging: Put in place mechanisms that allow all activity to be logged, including what data is accessed, when and by whom. This will provide an audit trail should issues occur in the future.

Reporting:  The organisation will need the ability to demonstrate to authorities what security measures are in place and how effective they have been. Regular reports will aid this process.

The constraints imposed by GDPR can seem onerous and a significant impost on day-to-day operations. However, with comprehensive planning and thorough implementation of required changes, compliance can be achieved with a minimal impact to operations.

Article by Zscaler's vice president of Asia Pacific and Japan, Scott Robertson.

Australians unsure of who is responsible for the safety of their information
According to a recent survey conducted by SOTI, Australians are increasingly concerned about the security of their health records.
Europol makes 61 arrests & nets €6.2 million in dark web crackdown
60 experts from 19 countries, Europol, and Eurojust were involved in hunting for activities including the illegal sale and signs of counterfeit goods and money, drugs, cybercrime, document fraud, non-cash payment fraud, trafficking in human beings and trafficking in firearms and explosives. 
The silver lining in Australia’s Government cloud strategy
Cloud has been a huge part of the ‘digital transformation’ conversation within Australian government during recent years.
Milestone: How video and IoT are finding their place in enterprise
Milestone Systems South Pacific country manager Jordan Cullis talks about three trends that will revolutionise the way video is viewed in 2019 and beyond.
Largest DDoS-for-hire websites responsible for 11% of attacks worldwide – Nexusguard
The FBI’s shutdown of the world’s 15 largest DDoS-for-hire “booter” websites in December resulted in 85% decrease in average attack sizes, year-over year.
Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.