The day has arrived and Europe is set to undergo perhaps its greatest revolution. This revolution – innocuous in name, but not in effect – is called the General Data Protection Regulation, or GDPR, which will revolutionize the notion of who “owns” data.
GDPR rules require top-flight vigilance by organizations that store data in servers located on European soil, or who possess data on European citizens. Each violation of GDPR rules could result in major fines - as much 4% of total annual turnover, or 20 million euros (whichever is bigger). In a hint of what may be to come, last June, the EU imposed a huge $2.7 billion fine on Google over the company giving preference to its own results in shopping engine searches.
Some organizations might wonder what this has to do with them, and that’s where the risk lies - the regulations clearly state that any data, which is EU-relevant, server-related or simply data ownership, compels the company to adhere to the GDPR regulations. Be that as it may, the number of US organizations preparing for GDPR-compliance and readiness is still extremely low, as one poll shows that only 6% of North American companies consider themselves ready for GDPR.
The stakes are high, yet poll after poll, results show that many companies aren't ready for GDPR. A UK government study, for example, reveals that barely a third of organizations have changed their cybersecurity policy to accommodate for GDPR's demands, and many don't even know what changes they need to make. But, like with anything else in life – or in tech – things go smoother when you have a plan.
Below are the top five steps an organization needs to take in order to be ready for GDPR:
1. Appoint a data officer: So, where to begin? The sheer extent of GDPR compliance – getting a handle on large-capacity databases, how and where data is stored, who owns said data, where it is located, do the security policies live up to GDPR requirements, etc. - makes laying out a plan a major task. Fortunately, GDPR provides a roadmap for getting started. The first step in GDPR compliance, as the regulations themselves require, is to appoint a data officer who will coordinate all policy changes and actions to get an organization up to speed, and ensuring that compliance takes place.
2. Perform a data inventory: The data officer's job is to ensure that the organization gets control of its data – that it knows where the data is, how it is protected, and how it is stored. In order for that to happen, the officer needs to liaise with all departments. Once the organization gets a road map of what data is located where, it will be much easier to ensure compliance with GDPR's security and privacy provisions.
3. Make sure data is secure: The EU has a list of approved security, anti-virus and anti-malware systems; if those are properly installed and maintained, an organization (or the cloud provider it uses to store data) won't be found liable in the event that there is a breach. Beyond protection, if a breach occurs, the organization needs to warn victims that they need to take further steps to protect themselves, by changing their passwords, upgrading their anti-virus systems, etc. Thus, another task for the data officer is to ensure that a mechanism to track down victims of a breach is in place, and that they will be informed within 72 hours of the breach.
4. Ensuring full control of the data: One important task the data officer will need to undertake is cataloging and bringing under control personal data, that is “floating” in log files and corporate communications (email, documents etc.). Unlike with centralized databases, getting control of that data may be more difficult; many departments may not even realize that that information is present. In order to take control of that data, GDPR officers can use advanced big data tools, which analyze files throughout the IT system, and identify the ones that need to be either protected or moved. For files that cannot be moved (i.e. part of a system dependency that will “break” an important function if moved), they will need to be anonymized, with personal information removed.
5. The Right to Be Forgotten: One of the most important – if not the most important – aspects of GDPR is the right to privacy for European Union residents. Organizations are required to inform EU citizens about the data they hold on them, and give them the opportunity to opt out of a database, program, community, or any other structure in which they may be included. If the organization completed the above steps properly, it will be able to pinpoint the data it has on individuals – and give them the GDPR-mandated “right to be forgotten.”
Loom Systems delivers an AI-powered log analysis solution to predict and prevent problems in the digital business. Loom collects logs and metrics from the entire IT stack, continually monitors them, and gives a heads-up when something is likely to deviate from the norm. When it does, Loom sends out an alert and recommended resolution so DevOps and IT managers can proactively attend to the issue before anything goes down. Schedule Your Live Demo here!