GDPR in 4 Steps and Where to Start

Table of Contents

Although GDPR may seem complicated, there is an easy way to create a GDPR compliance plan and avoid future problems.

The General Data Protection Regulation (GDPR) has been introduced, a new regulation that unifies rights, obligations, administration, protection and, unfortunately, sanctions in relation to the processing of personal data.

Although GDPR may seem complicated, there is an easy way to create a plan to comply with GDPR and avoid future problems. The EU values ​​personal rights and therefore takes the handling of personal data seriously.

Misuse of personal data or its insufficient protection can lead to high fines of up to 4% of the company’s annual income or EUR 20 million.

GDPR is primarily a strict regulation that affects every business and organization working with personal data of people living in the EU.

It therefore also concerns companies operating outside the EU, which for some reason process the data of persons living in the EU.

The GDPR can be divided into three main areas – security, accessibility of personal data and the legal area.

This requires adding controls and possibly reorganizing the data structure and storage process.

What is the goal:

Accessibility and structure of personal data

Personal data is the personal property of every person – he can always request information about what data is stored about him, how the data is used, or request its complete deletion.

Personally identifiable information (PII), i.e. information that can lead to the identification of a person, is also considered personal data.

Full visibility

Your organization must be able to trace and locate all personal data upon request.  In many cases, this will require modification of the system and structure of information storage and processing.

Successful implementation can benefit your organization by leveraging information to better analyze your business, which can lead to more accurate planning.

Our company will help you implement some mapping tools that will give you an overview of where this private data is stored in your organization in case of future processing.

  • Removal

If requested, your organization must be able to remove and dispose of all personal data.

It may seem simple, but a lot of this information can remain on different media or backups.

  • Informed consent

Any organization that stores personal data is required to have consent from the owner specifying exactly how that private data will be handled and disclosed.

  • Portability of private data

The information owner has the right to obtain and transfer their personal data stored in your organization. And you have to be able to give it to him.

If you are storing large amounts of data that may be requested by a large number of owners, your organization may face a significant workload.

Therefore, it is absolutely necessary to have the best automated systems available.

Security

The GDPR requires processors and administrators of personal data to protect this data from unauthorized disclosure.

If personal data is stolen or disclosed, and if the investigation reveals that the organization has not made sufficient efforts to protect it, it can be fined up to €20,000,000.

In particular, the GDPR does not contain a complete list of controls.

Information protection is based on best practices and standards.

  • Access control

Your organization should have systems in place that record and audit every access to data.

Installing an appropriate data loss prevention tool is highly recommended.

A sufficient tool will fully control what data is collected from your organization and how.

Our company has extensive experience implementing DLP products in various environments that help protect against various threats, including corporate espionage.

  • Monitoring

An appropriate review of systems is recommended. All logs from the systems should be collected in a central location, evaluated, correlated with SIEM and monitored 24/7.

  • Reporting

A security incident where personal data is made available to an unauthorized person must be reported to a national authority within 48 hours.

For this purpose, our company offers SOC as a service, which saves a significant amount of money compared to own SOC.

  • Vulnerability management

Exploiting unpatched vulnerabilities is one of the easiest ways to compromise an environment and obtain data. It is recommended to regularly evaluate the vulnerabilities of the environment. For this purpose, our company offers the vScan solution, which is easy to implement and inexpensive.

  • Full information security standard

The above are minimum controls, but implementation of full information security standards is essential for large processors of private data.

Legal requirements

The processing of personal data must be fair and transparent in relation to the person concerned. It is the company’s duty to inform the user about what personal data has been collected and for what purpose.

The owner must agree to the intended purpose and to the fact that the data is being collected.

  • Informed consent

Consent conditions have been unified so that companies will no longer be able to use long and unreadable conditions full of legalese.

Now, the request for consent must be submitted in an understandable and easily accessible form together with information about the purpose of the processed data – that is, it must not be ambiguous.

  • Opt-out

The GDPR stipulates that data owners must have the possibility to refuse the processing of their data and must be informed of this right to refuse (opt-out) at the first contact with the data controller.

  • Persons under 16 years of age

In case the data of a person under 16 years of age is processed.

  • Responsible person or DPO

Assigning one responsible, qualified and knowledgeable person to this role will greatly facilitate and simplify the process of ensuring GDPR compliance.

Our company can offer the services of one of our information security consultants who act as a data protection officer as required by the GDPR.

The DPO is responsible for assessing and enforcing adequate GDPR processes, as well as monitoring the company’s compliance with the GDPR and advising the company on legal requirements to comply with the GDPR.

A DPO must be appointed in case of:

  • public authorities,
  • organizations that carry out extensive systematic monitoring, or
  • organizations that process sensitive personal data on a large scale.

4 steps to comply with GDPR

  1. Responsibility and duty

Each operator must comply with the 6 principles of responsibility for the processing of personal data according to the GDPR (legality, limitation of purpose and storage, data minimization, data accuracy, security and integrity), must meet the requirements for transparent, safe and fair processing of the rights and freedoms of the persons concerned, fulfill the requirements on the rights of data subjects, keep records of processing activities and implement adequate technical and organizational measures to prevent data protection violations.

  1. Assessment – Analysis of your systems and processes

Any project related to private data must include:

  • Data mapping

Any project related to the processing of personal data should begin with an analysis of the company’s systems and processes through a data map assessment. The data mapping process helps the organization to gain a 360-degree view and complete life cycle of personal data flows from the point of collection to the point of data deletion, including all processes, processing points and means of processing.

  • Gap analysis

Every project related to the processing of personal data should include a gap analysis. A gap analysis determines whether the technical and organizational measures already in place can achieve the objectives and compliance with the GDPR and what needs to be implemented or improved to achieve compliance with the GDPR. Gap analysis is a technique used to determine the steps needed to move from the current state to the desired future state and to compare the current performance of measures and control mechanisms to ensure GDPR compliance.

  • Data Protection Impact Assessment (DPIA)

Every project that works with personal data must process a DPIA. DPIA is a classification and assessment of private data from data mapping and a compliance and privacy risk assessment from a legal, technical and security perspective.

Our company will provide you with a DPIA and the following solution proposal.

  1. Solution proposal

After the assessment, appropriate technical and organizational solutions and measures should be proposed.

To meet GDPR requirements, this solution should include legal arrangements, training, processes, documentation, technical and organizational solutions and information security implementation.

Our corporate consultants have extensive experience designing solutions for large environments, including Fortune 500 companies, and are available to support or fully design your GDPR solution.

  1. Implementation

The final step is the implementation of these proposed legal, educational, technical and information security controls and measures. Our methodical steps for GDPR implementation are as follows: Plan – Do – Check – Act.

These implemented solutions should be subject to regular compliance audits in order to detect and prevent potential deficiencies.

Book a 1:1 Consultation