General Data Protection Regulation (GDPR) is effective today. Being a security and privacy professional, I could relate the impact it has made to the organizations internal and external processes in handling personal data. In last two weeks, I have received tons of email for opt in/opt out, privacy notice, consent, etc. that demonstrates that everyone out here was working towards compliance to GDPR in one or the other manner.
While the May 25th 2018 marks an important date in era of data privacy, the focus will now shift from being compliant to sustain compliance. There will also be a need to bring in integration and automation into/of different controls deployed for security and privacy on a continuous basis. Compliance is always a journey with objective to enable business and not to paralyze the business. Hence, a due consideration will have to be given to ensure a security/privacy enabled business operations instead of it being a namesake compliance effort.
The key points that we shall remember in order to sustain compliance are:
- Keep the PII data dictionary up to date in the centralized location
- Conduct Privacy Impact/Risk Assessment of applications based on their business criticality
- Ensure an unambiguous consent every time you have new to offer to your private customers
- Integrate all business applications dealing with personal data with Identity and Access Governance solution
- Integrate all critical infrastructure that can result in egress of personal data with a Privileged Access Management solution
- Integrate all your critical security devices, business applications with Security Incident and Event Monitoring solution
- Ensure protective controls are implemented on all personal data egress points for data at rest, in motion and in use
- Ensure Privacy and Security by design in all your applications/infrastructure dealing with personal data
- Create awareness on breach notification procedures across your organization
- Test incident response plan and breach notification procedures at regular intervals
- Ensure the data encryption/anonymization controls at data level for PII and sPII
The organization’s ability to protect, detect, response and recover will go a long way in sustaining the compliance.
Authored By - Vikas Choudhary
TCS Cyber Security Practice