Achieving compliance with the GDPR is one of the biggest challenges facing businesses right now, and with the May implementation deadline fast approaching, time is running out to finalise plans.
“There is no silver bullet for GDPR compliance. Organisations need to think about what personal data they hold and how it’s processed and protected.”
Andy Kays, CTO, Redscan
Since data security forms a key part of the regulation’s requirements, it is vital that appropriate controls and procedures are in place to protect the personal information of employees, customers and partners.
Whether you’re confident of your business’ ability to comply or are somewhat unsure if existing security controls are up to scratch, here’s four essential questions you need to ask to help ascertain true GDPR data security preparedness.
1. Do you know what personal data your business holds and where it’s stored?
The first step in the journey to complying with the GDPR is knowing what constitutes personal data and, crucially, what types of data your business processes. An updated definition of personal data in the GDPR now includes, under certain circumstances, online identifiers such as biometric data, web cookies and mobile device IDs.
If you aren’t confident that you know exactly what personal data your organisation holds, why it’s needed, and whether any piece of information, however small, could be accessed and used to identify an individual, then a more thorough review is needed.
- Conduct regular data protection audits
- Understand how data flows through your business
- Be aware of unstructured ‘dark’ data
2. Do all your employees know that they have a responsibility for data protection?
Data security has traditionally been seen as a job for the IT department but under the GDPR that’s not an acceptable view; everyone within your organisation has a duty to protect personal against unauthorised processing, loss and destruction. Humans are commonly cited as the weakest link in the cyber security chain, so ensuring that all your staff know their responsibility and practice good cyber hygiene is important.
All it takes is someone to click on a malicious link in an email and you could be having to explain to regulators, in the aftermath of the resulting breach, why you didn’t educate your employees about the dangers of social engineering.
- Promote a security culture
- Undertake regular employee cyber security training for all employees
- Consider whether some staff require specialist training
3. Do you have processes in place to regularly assess your security posture?
If you haven’t tested the effectiveness of the security controls your business has in place, then now is the time to do so. To demonstrate compliance with the GDPR it’s important to have appropriate procedures in place to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of data processing.
An annual external vulnerability scan conducted using an off-the-shelf tool is unlikely to be sufficient. Regulators are seeking evidence that businesses proactively review in-place data security and are capable of implementing any resulting recommendations. If your organisation is planning a new project, preparing to launch a new product, or carrying out an infrastructure upgrade, then a thorough security assessment of any at-risk networks, systems and applications should be a matter of priority.
- Obtain Cyber Essentials Plus certification
- Commission regular penetration tests
- Understand human risks with a simulated phishing assessment
4. Would you know if an attacker resided in your network and how would you respond?
While your business may have improved its security controls to avoid being an easy target, the persistent nature of cybercriminals means that there is no way of protecting against every attack. Breaches are an operational reality.
Identifying the presence of hackers continues to be a major problem for many organisations but it is key to minimising the potential damage of an attack. Having robust procedures in place to detect and investigate personal data breaches as well as report them is a fundamental requirement of the GDPR. Pleading ignorance of attacks and/or sweeping them under the carpet is not acceptable. If you don’t know what anomalous activity on your network looks like and how to respond to it, then a comprehensive review of your threat detection and response capabilities is overdue.
- Evaluate intrusion detection capabilities
- Conduct proactive network and endpoint monitoring
- Develop and test an incident response plan
How did you score?
While there is no silver bullet for GDPR compliance, answering yes to all the questions outlined in this article should go a long way in helping your business verify that it’s on track. If at any stage you answered no, or are uncertain about any of the points raised, then go back and reassess plans.
In the UK, the Information Commissioners Office (ICO), has a wide range of GDPR related resources, including detailed checklists. Seeking independent support and advice from a data security specialist can also help to highlight risk areas and provide the guidance to address them.
One final piece of advice – whatever your route to compliance, make sure your roadmap is suitably evidenced. Having written policies and procedures in place that clearly outline your response to all GDPR requirements will go a long way towards demonstrating your business is ready for the May implementation deadline and the security challenges beyond.