The GDPR regulations can seem intimidating, but CISOs who reduce it into smaller steps are able to work towards compliance and accountability, by taking one step at a. Checklists and other resources can be found on the ICO's website.
Begin by performing an analysis of risks. This will include identifying points of shadow IT, as well as points that gather PII.
1. Educate Your Employees
One of the most important components of GDPR compliance training your employees. It's easy to overlook your employees instead of focusing on the specifics of GDPR compliance. However, recent hacks have proven that employees are often the leading reason for security breach. The training of employees is therefore mandatory. The best way to ensure this happens is by instilling a culture that supports privacy and not simply implementing a generic course.
The employees should know the information they have access to, where it is stored and for how long it's retained. If they are aware of the policies you have in place and how they impact on the business as a whole, the more they'll be concerned about safeguarding sensitive data. It will also make them more likely to stay on top with their work to reduce the chance of an incident.
Your staff should also be aware of the rights of individuals to access their personal data and also how to protect it. This is especially important for employees that handle DSAR requests or handle complaints from GDPR consultant individuals. It is vital that you and your staff are familiar with all the regulations regarding consent, as well as how to handle personal information in order to sell.
The training of staff members should incorporate an explanation of these subjects and should be provided on an ongoing basis. It is also recommended to set up a way to record the time when your employees have been trained, so that you can prove the fact that employees have been taught about GDPR.
Additionally, you must inform your employees of a short summary of the policy on data protection that you enforce so they have a reference to refer back to when there is a need to ask questions. This could be a brief easily-read and understandable document that could help them remember the key aspects of your policy as well as be sure that they're following all the proper guidelines.
Even though the GDPR can seem difficult, it's actually possible to achieve compliance in the shortest amount of time, if you have the proper resources. A trained Osano consultant can help you get started by identifying the crucial areas of your business to be addressed and preparing an action plan for the issues. Osano can also act as your representative under GDPR, supervise the performance of your vendors and assist you with answering access requests. Contact us today to learn more about how we can assist your company in becoming GDPR compliant.
2. Create an Data Protection Plan
GDPR is forcing companies to think about how they store and manage personal data. It covers both personal and corporate data. This law sets forth strict rules for how this information is used, and has severe penalties for anyone who does not follow the rules. Additionally, the regulation gives citizens the authority to make companies accountable for data they gather.
It is a good idea to design a data protection plan that covers every stage in the process, from beginning until the end. This will help you understand what actions must be taken to protect information and make sure that it is properly destroyed when it's not required anymore. Data protection plans also make it easier to spot risks and implement the essential mitigation measures that is a daunting task for some organizations.
Plan should outline the roles and responsibilities of each person in charge of the gathering and processing of personal data. The plan should identify who is legally responsible to notify a breach in data, as well as provide information to that person. The document should also outline how to respond to a request by an individual who wants their personal information deleted or modified. It should also include ways personal data could take in your company -- for example in the event that it comes into your systems, in which location it will end up, and then where it goes when it's deleted.
It's equally important to include all stakeholders in creating the plan for data protection Not just your IT team. You'll need people from Finance, marketing and sales -- or anyone who has access to sensitive information -in order to have the full picture of how this new law affects every department. It will help you avoid unexpected surprises and decrease risk of making an error that could result in the possibility of a penalty.
The program should be based upon the seven fundamental principles set forth by GDPR. This includes Privacy by Design, a idea that urges the development of your products and services with protection of privacy at the time of initial development. Customers can be assured that you take their privacy very seriously, and will only share personal information when it is required.
3. Review Vendor Agreements
Many businesses must navigate a maze of regulations governing the protection of data for both states and federal agencies, standards for industries and contractual obligations to vendors and customers. Regularly reviewing vendor agreements is vital to ensure compliance and protect your organization. It is essential to look through each aspect of the contract, which includes the terms of payment Intellectual property rights along with termination, dispute resolution, and more.
Idealistically, the examination should happen well ahead of the expiration date of contract renewal or cancellation. The organization will have the option of changing the terms in order to better meet the needs of its clients. This is also an ideal moment to resolve any issues that arise during the collaboration, for example disputes or misunderstandings which could quickly turn into legal issues.
Also, it's important to review any intellectual property and confidentiality agreements that are part of the contract. The terms of these agreements must be clear about the manner in which confidential information is treated and stored along with who holds the rights to any concepts or products developed in working with vendors. Additionally, restrictions on non-disclosure and advertising restrictions on products need to be specified.
Another crucial aspect that the agreement addresses is what personal information is given to the company in case of an incident. Given the 72-hour limit stipulated by the GDPR, it is even imperative that any contract contain a way to inform the entire company in the event of the possibility of a breach. This includes the department of procurement or a person who is in charge of accounts payable and receivable or any person who is responsible for data protection.
The agreement must also contain details about the way in which the vendor is going to protect personal data and the right for access requests to records containing personal information. It is vital to verify that the vendor has the proper security measures in place like encryption in order to prevent unauthorized access or alteration of sensitive information.
In addition, the contract should include a specific explanation of the procedure to end or contest the terms of the agreement. This can help avoid expensive legal battles down the road and allow an organization to maintain pleasant working relationships with its suppliers.
4. Test Incident Response Plans
GDPR obliges companies to regularly evaluate their plans for responding to incidents. The test should include the entire plan, including computers, network and physical security. This test will also consist of an assessment of communication techniques and methods utilized in the event that there is a security breach.
Tests must be performed in a controlled environment that mimics the effects of a breach on the staff as well as their reactions. This test will determine the capacity of the program to respond and mitigate damage. Important to keep in mind that a company that breaches the GDPR can be punished with up to four percent of their global annual earnings. This can be a powerful incentive for businesses to act in a proactive manner to protect their clients' information.
A well-organized incident response team is crucial in ensuring that GDPR is met. The team must comprise members from multiple departments of the organisation, for example IT Operations, IT, Executive and PR/Marketing. This ensures that all aspects of the response are taken into consideration in a timely manner. It is also important that the team be trained in how to respond and comprehend the importance in minimizing the effect on both the client and the company.
The GDPR's aim is to protect consumer privacy and give them the ability to control the information they acquire. It imposes limitations on the use and collection of personal data. The companies must get consent from people who are data subjects, inform them in their reasons for collecting data and what they do with it, restrict the amount of time it's retained and take appropriate security methods to protect data from breaches.
In the event of a data breach, companies should notify their customers within 72-hours. In order to limit damage the company must be able to evaluate the effect rapidly. Additionally, the data subjects have the right to ask that their PII be erased from the database of the business, and obtain any information that on them that the business has.
While multinational corporations receive the greatest attention over their infringement of the GDPR, this rule applies to any firm that sells its products as well as services EU citizens. In addition, it imposes sanctions on multinational companies who have a presence within one of the EU member state or process the personal information of European residents.