The General Data Protection Regulation (GDPR) is one of the hottest topics currently as the law will come into force in May 2018, significantly improving data protection for individuals in the EU and internationally by introducing new restrictions for companies that process data for EU residents.
When the new law comes into force in May 2018 it will be hard for small and medium-sized organisations to be ready. Hence, they often have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts give them appropriate advice. Nevertheless, many SME’s are completely new to regulatory compliance and critical data security best practices, which makes them more at risk of cyber-attacks.
Major outbreak of panic has already started because according to HubSpot’s market research only 36% of organizations know what GDPR is, and 22% haven’t done anything yet to prepare for it.
By looking at the metrics above, let’s face it; the current situation is way below average and we are completely unprepared running around like headless chickens. On the top of that what makes it even more frightening is that there have been huge fines for security failures –UK’s Carphone Warehouse, which was fined $540K for a 2015 hack- in the past couple of months. According to the forecast, penalties will be even higher under GDPR.
If I’ve got your attention please stay with me as I am going to elaborate on what GDPR defines under risk assessment and offer you my top 8 steps checklist on how to be ready for such an issue.
Even though the terms of risk assessment and data protection have been mentioned so many times in the official GDPR documentation, unfortunately, it hasn’t been clearly defined even once and steps or guidance towards what it really means and how to comply are not available.
After delving deep through a large amount of papers and literature on GDPR I feel risk assessment and data protection are a bunch of security best practices which could help your business build its defence system and security walls. I believe the most important aspect to prevent risks is tailored to your organisations while being aligned with the GDPR requirements. Perhaps the best way to get started would be;
· Thoroughly evaluating your profile and the possibilities of risks.
· After identifying your unique risks factors taking measures to mitigate your risks.
· Setting up regular checks and assessments to make sure that risks monitored at all time.
Here are my top 8 steps on how to prepare.
1. No more denial – You do need to pay attention to HOW you will be affected.
Fortunate or unfortunate; GDPR applies to every business or public body that stores or processes the data of EU residents including employees in the EU, services to EU citizens and residents, and companies that process personal data on behalf of other organizations.
Please don’t waste more time by hoping your organisation will be an exception. The deadline is approaching fast and the impact will globally affect both EU companies and companies that do not have a presence in the EU.
2. I forgot already what’s the deadline again?
3. Organize a team of your best people.
As a first step, you should identify the stakeholders – marketing, HR, IT and legal – and identify how each one will be affected by GDPR and have a representative from each area across your business.
Step number two; don’t forget to appoint a Data Protection Officer who will take the lead in making sure you comply with the GDPR regulations.
4. Recognise your risks.
Identify the risks your organization can face and classify them by severity and likelihood, using high, moderate and low categories.
Make sure you clearly state the possibility of damage or harm that could be caused by the risk identified.
Creating a risk matrix can be your cheat sheet to help ensure you don’t miss anything.
5. Identify your risk
As I previously mentioned GDPR does not provide guidance on how to evaluate and assign the weight of various risks yet the evaluation between risk and benefits must take place. It means different organisations will score the same risks differently depends on the possibilities of occurring and damage it can cause.
For instance, if you work and store a high volume of personal data after the 25 May 2018 you will be able to continue working the same way as before. However, you will need to assess the risk it entails by collecting, storing and processing private information. Does this make sense?
6. Review other compliance standards and frameworks.
There are no specific procedures outlined by GDPR in regard to the framework and compliance standard so please don’t waste your time searching for one. Also, there is no need to reinvent the wheel, you can save time and use other compliance standards and frameworks, such as PCI DSS or the NIST Cybersecurity Framework to get started it will be just fine, hence they have the same primary goal -protecting sensitive data- as GDPR.
7. Awareness of your company data.
Be completely aware of your company data, who can access it, which parts of the stored details are sensitive enough to be at risk. Watch out for the GDPR requirements on data portability and how to adopt a single platform for data governance. It could help you to be more organized and completely eliminate fragmentation in storing data.
8. Repeat the risk assessment process on a regular basis.
It must be an ongoing process monitoring, checking, evaluating and re-evaluating the risk levels and taking actions wherever required. For instance, you need to make sure you have insight into and control over access permissions, so you can minimize or completely eliminate the risk that sensitive data will be accessed by unauthorized people.
I hope it was useful to you to kick-start and don’t forget you can always get more information from the GDPR main site on how you can be better prepared to avoid unwanted consequences.