GDPR: How do I get started?

So, we know by now this isn’t something you’ll be able to ignore.  What are the steps you need to take to meet the regulations?

Firstly, lets break the actions down into 4 areas:

  1. Discover
    Identify what personal data you have and where it resides
  2. Manage
    Govern how personal data is used and accessed
  3. Protect
    Establish security controls to prevent, detect and respond to vulnerabilities & data breaches
  4. Report
    Keep required documentation, manage data requests and breach notifications

So, now we have broken it down it all starts to seem slightly more manageable!  Lets look at what is included in each of these sections in a bit more detail:

Discover

Identify the data that your business is responsible for.

Any data that helps you identify a person such as:

  • Name
  • Email address
  • Social Media Posts
  • Physical, physiological or genetic information
  • Medical information
  • Location
  • Bank details
  • IP address
  • Cookies
  • Cultural identity

Inventory:

Identifying where personal data is collected and stored.

  • Emails
  • Documents
  • Databases
  • Removable media
  • Metadata
  • Log files
  • Backups

Manage

Govern how personal data is used and accessed within your organisation

Data governance:

Defining policies, roles and responsibilities for the management and use of personal data

  • At rest
  • In process
  • In transit
  • Storing
  • Recovery
  • Archiving
  • Retaining
  • Disposal

Data classification:

Organising and labelling data to ensure proper handling.

  • Types
  • Sensitivity
  • Context/use
  • Ownership
  • Custodians
  • Administrators
  • Users

Protect

And, possibly the most important part: Preventing data attacks.

Protecting your data:

  • Physical datacentre protection
  • Network security
  • Storage security
  • Compute security
  • Identity management
  • Access control
  • Encryption

Risk mitigation:

Detecting & responding to breaches.

Monitoring for and detecting systems intrusions

  • System monitoring
  • Breach identification
  • Calculating impact
  • Planned response
  • Disaster recovery
  • Notifying DPA & customers

Report

Keep required documentation, manage data requests and breach notifications.

Record keeping:

Enterprises will need to record the:

  • Purpose of processing
  • Classification of personal data
  • Third-parties with access to the data
  • Organisational and technical security measures
  • Data retention times

Reporting tools:

Implement reporting capabilities.

  • Cloud services (processor) documentation
  • Audit logs
  • Breach notifications
  • Handling Data Subject Requests
  • Governance reporting
  • Compliance reviews

Beeso IT can provide consultancy services and data protection solutions to guide you through each stage of preparing for this new regulation enabling you to manage for the future.

Contact us to discuss your requirements.

GDPRDaniel BeesonGDPR