The GDPR is Coming, so Where do you Start?
The clock is ticking for organisations of all sizes to get their data protection policies in order, now the final draft and approved text is available for the General Data Protection Regulation which replaces the existing EU Data Protection Directive. The new regulation will take effect in May 2018 and will require businesses to put much stricter focus on data protection. The headline items for organisations that collect or process EU citizen records are:
They must notify their supervisory authority of a data breach within 72 hours
Subjects will have the right to retract consent, request data erasure or portability
Organisations face fines of up to 4% of their worldwide turnover, or €20 million for intentional or negligent violations
These significant sanctions mean it is vital that the final legislative text be fully understood by a number of key stakeholders within your business, and that businesses start planning for these changes as soon as possible. Underpinning all of this is the fact, no matter what size a company is, that businesses have to begin thinking about their security in terms of when they will face a data breach or attempted breach, rather than if. Only when businesses accept this will they be able to plan, execute and demonstrate successful security defences and policies.
To help with that, here are six key steps organisations should perform to provide a basic assessment of their current data protection strategy and any potential gaps that need to be addressed.
Initiate Assessment - Stage 1
The first step in the GDPR readiness assessment lifecycle is that of initiating the assessment which consists of interviewing various stakeholders within the organisation who would normally influence the collection, processing and access to personally identifiable information (PII), as well as maintain authority on the various organisational functions within the business i.e. HR, IT etc.
Data Discovery - PII Data Inventory and Mapping - Stage 2
After the initial interview phase has been completed, a data inventory and mapping exercise is engaged. In this phase, industry leading technologies are utilised to discover any and all personally identifiable information (PII) that is located both in structured and unstructured data repositories like SQL databases and file shares on the network. Comprehensive data collection, analysis, remediation workflows, and reporting is provided.
Through this process it becomes possible to build a map of the locale of the personally identifiable information (PII) held by Clients on the organisation’s information systems. Once the mapping exercise is completed, a detailed document of the discovered PII is provided and captured in a format that allows Clients to understand the distributed nature of the personally identifiable information (PII) that’s being processed.
Security Assessment Cycle - Stage 3
Once a detailed picture of the locale of PII that Clients process is achieved, the GDPR readiness assessment service performs security assessments on the inventory of assets that processes the data. A framework gap assessment is conducted within your organisation that will report on the level of effort that is required to get your organization from where you are to mapping your framework to ISO/IEC 27001. Features of the GAP Assessment include:
Pinpoint the gaps that exist between the ISO/IEC 27001 standard and your current security practices;
The GAP assessment will provide you means to design an approach that will improve the overall performance of your information security posture
The Assessment consists of two parts; a Technical Controls Assessment and a Cyber Security assessment performed over an agreed period. The Cyber Security Assessment is performed in line with the International Organisation for Standards (ISO) 27001 controls and delivered as an interactive questionnaire.
During the Technical Controls Assessment, a baseline non-intrusive security scan of the environment is performed to understand the following:
Antivirus software coverage across the environment
Versions of antivirus software deployed
Operating Systems prevalent in the network
Patch levels of the operating systems and common applications
Firewall configurations and health
Advanced persistent threat prevalence
Network traffic analysis
Privilege identity usage analysis
DDOS vulnerability posture
SSL Traffic patterns
The GDPR readiness assessment and Security Assessment service provides Clients with a remediation roadmap to address any issues identified in the Gap Analysis. This remediation roadmap details actions and mitigations against discovered issues on the assets processing the PII, any data classification remediation as well as detailed mechanisms to allow Clients to work towards compliance. It will also highlight any policy gaps and propose initiatives that Clients can adopt to drive the organisation towards compliance.
Policy Review - Stage 4
A consulting-led approach to review existing policies and their effectiveness in the environment.
Take action and make your life easier!