GDPR: Checklist Before the Deadline

With the European General Data Protection Regulation coming into force today, security experts from ESET, Tenable, Imperva, CyberProof and Outpost24 have provided advice on the final checks organisations should consider before the deadline:

Martin Jartelius, CSO, Outpost24, said: “If you feel you are behind in your GDPR implementation, focus on these points:

* Ensure that you have enumerated all your sub processors
* Ensure that you have performed the data impact assessments
* Ensure that your websites and any other means of communications, where data processing occurs are based on consent, actually gathers consent and logs this
* Ensure that you inform users clearly about how to execute their right of erasure
* Ensure that you have informed staff about not emailing or instant messaging personal data, or using new platforms without legal approval, as there will be sub-processing without consent.

"Next, plan how you will deal with any communication that might come in from individuals or inspectors. Understand that if something happens, transparency and clear communications to affected users is key to avoiding fines as well as staying on the right side of the law – transparency will be key to avoiding disaster. Once those are in place, you can work to catch up and get back on track with the rest of your implementation.”

Tomáš Mičo, senior Data Protection and Licencing Lawyer, ESET, said: “GDPR is about to change the way we think about personal data processing as well as the protection of data subject’s rights.

Principles Check. Comprehensive analysis and following validation are required when it comes to principles stipulated by GDPR which are the most important part of GDPR Compliance. Lawfulness, together with fairness and transparency, purpose and storage limitation, data minimisation, accuracy and integrity with confidentiality must be present in every stage of data processing.

Accountability Check.  After having all principles embedded into data processing activities, ability to demonstrate is about to be checked. Controller has to be able to provide solid evidence to support the claim of compliance during the investigation of Supervisory Authority.

Appointment of Data Processor Check. All former contracts with data processors have to be revised and amended to ensure compliance with requirements of GDPR.

Data Subject’s Rights Check. The controller should prepare and test the worst case scenario of data subject’s request, just to be sure that appropriate answer can be given within the period required by GDPR.

Data Protection Officer Check. In case of data controller with legal obligation to appoint DPO, selection process should have been already finished (or started at least)."

Gavin Millard, technical director, Tenable, said: “With the GDPR deadline looming and many organisations spending money on securing the personal data they plan to store, it’s important to remember good security isn’t measured by the number of zeros on a purchase order but by how well technology is operationalised in the environment. A well configured £10,000 security technology can be far more effective than a poorly deployed £100,000 one.”

Adrian Bisaz, VP of EMEA at CyberProof, added: “One of the top items on our customers’ checklist is the “right to be forgotten” as it is one of the more difficult requirements for companies to implement in time. Alternatives such as change of code or change of application are tactical solutions which don’t scale. An innovative approach is needed to help companies accelerate their ability to adhere to this requirement effectively.”

Terry Ray, CTO, Imperva, noted: “Two common mistakes companies have and continue to make with regards to data regulation, which sadly seem obvious, until you look at the details. All data regulations require that a company of any size know ‘where’ all of the regulation-relevant data is in their environment and know when that data is viewed or modified. These seem easy until a customer realizes that most auditors will not accept a simple list of locations where private data is supposed to be.  Instead, knowledgeable auditors expect a company to demonstrate that relevant data only exists in the locations where it’s supposed to be and not where it isn’t.

"More importantly, the company needs to demonstrate that private data does ‘not’ exist elsewhere within the organization, nor is it shared without knowledge outside the organization. This changes the process for many organizations from making a simple inventory of known locations where private data is supposed to reside, to a fully proactive review of all data storage systems looking for private data that doesn’t belong, or fell outside of private reporting procedures which may have left such locations off of a data privacy list.

"Simply put, it is the concept of companies knowing what they know, but unless they spend the time to undertake a full private data review, they’re left with the unknown - unknowns. Post-breach, answering a data governance body with “ I didn’t know that department had copied private data to another server.” is not an appropriate defence.

"The other seemingly obvious requirement is auditing access to private data. First, this requirement is directly related to the quality of a company’s data classification, above.  Do they know where all of their private data is? If no, then this step is now faulty as well.  It’s a bit of a cascading problem, which leaves private data ignored, unmonitored and therefore unsecured.

"However, let’s assume a company does, in fact, have an effective data classification process and knows where all of their data is.  How are they auditing access to it?  Most auditors are looking for proof that a company knows the basics; Who viewed the data? How did they access it? When did it happen? Where did they come from and where was the data located? Most importantly (yet often missed), what was accessed, how much was accessed and should it have been accessed?

"These last three questions have been asked by post-breach investigators for years and have now made their way to regulatory audits, because of the failure of companies to effectively answer them during a data loss situation.

"Companies should fully expect to have secondary deeper questions asked around the location of private data and whether private data is being accessed appropriately.  These both require a level of diligence that many companies, even today with such a short time to go, still cannot answer.  Time will tell whether GDPR softens their language to pass more failing companies or whether they make examples of some companies to get others into compliance.”

Also Read

Stay in the know with our newsletter