GDPR: How do I get started?
So, we know by now this isn’t something you’ll be able to ignore. What are the steps you need to take to meet the regulations?
Firstly, lets break the actions down into 4 areas:
Identify what personal data you have and where it resides
Govern how personal data is used and accessed
Establish security controls to prevent, detect and respond to vulnerabilities & data breaches
Keep required documentation, manage data requests and breach notifications
So, now we have broken it down it all starts to seem slightly more manageable! Lets look at what is included in each of these sections in a bit more detail:
Identify the data that your business is responsible for.
Any data that helps you identify a person such as:
- Email address
- Social Media Posts
- Physical, physiological or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
Identifying where personal data is collected and stored.
- Removable media
- Log files
Govern how personal data is used and accessed within your organisation
Defining policies, roles and responsibilities for the management and use of personal data
- At rest
- In process
- In transit
Organising and labelling data to ensure proper handling.
And, possibly the most important part: Preventing data attacks.
Protecting your data:
- Physical datacentre protection
- Network security
- Storage security
- Compute security
- Identity management
- Access control
Detecting & responding to breaches.
Monitoring for and detecting systems intrusions
- System monitoring
- Breach identification
- Calculating impact
- Planned response
- Disaster recovery
- Notifying DPA & customers
Keep required documentation, manage data requests and breach notifications.
Enterprises will need to record the:
- Purpose of processing
- Classification of personal data
- Third-parties with access to the data
- Organisational and technical security measures
- Data retention times
Implement reporting capabilities.
- Cloud services (processor) documentation
- Audit logs
- Breach notifications
- Handling Data Subject Requests
- Governance reporting
- Compliance reviews