The General Data Protection Regulation (GDPR) impacts every business in the European Union(EU) or doing business in the EU even if their headquarters are outside EU borders. The GDPR enforcement starts May 2018, giving ample time for enterprises to plan and implement the right controls. There are many elements in the GDPR directive. We recommend that enterprises put a plan in place to achieve certain milestones before the deadline, in order to avoid fines and possibly earn some goodwill from the EU. Compliance experts at Imperva have worked on the following framework to help customers navigate the data security and compliance technology requirements for compliance with the GDPR.
Stage 1: 0-6 months
Discover and inventory – of known and unknown data repositories and sensitive data
Analyze Data flow and touchpoints – including sub-processors
Inventory current policy and procedures
Develop the breach discovery, response and notification requirements for:
Data Monitoring
Alerts and investigation process
Discovery and immediate containment
Assessment of loss and ongoing risk
Incident response and investigation
Notification of breach
Post event evaluation and response
Draft the Data Protection Impact Assessment report
Stage 2: 6-12 months
Perform inventory and gap analysis of Data security and compliance technology
Evaluate and select monitoring, minimization and encryption technology
Privacy by design
Perform Privacy Impact Assessments (PIAs)
Define Data Protection officer (DPO) role and responsibilities
Alert the organization to any risks that might arise with regard to personal data
Monitor the activities of all data controllers within the DPO’s corporate group
Periodic checks to ensure that the organization’s security measures remain appropriate and up to date – facilitate audits and investigations
Provide guidelines to the Board of Directors as well as all members of staff
Update permissions collections process
Negotiate with 3rd party processors
Evaluate USA data transfers requirements
Stage 3: 12-24 months
Phased implementation of data security and compliance technologies
Compliance audits and reporting
Hire DPO
Rollout new P&P
Test
Training
Verify and validate (Certification)
We have highlighted the milestones for each stage that can help achieve GDPR compliance without running to surprises and avoid hefty fines. With early GDPR certification, competitive advantage can help bolster brand image relative to the laggards.
Find out more about GDPR and Data Security.
Data Protection in the EU – http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Try Imperva for Free
Protect your business for 30 days on Imperva.