The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. There is substantial impact to organizations that operate globally.
To respond to these changes effectively, organizations need to assess their current position and how ready they are to meet the new regulation. Given the complexities and lack of information about where and how data is held, this may not be straightforward. This should be followed up by a detailed GDPR readiness assessment to identify specific areas of non-compliance. More detail can then be drawn out in a specific privacy impact assessment which should then allow organizations to be clear about the action they need to take when it comes to governance, processes, organizational structures and technical requirements.
As a data controller, the organization must have a control structure in place that will:
- Apply critical security controls to detect, manage and mitigate appropriately any vulnerabilities to the data processing environment.
- Configure systems in accordance with an enterprise policy and maintaining that configuration.
- Identify systems that deviate from the established policy.
- Continuously monitor log files to alert to any potential breaches or vulnerabilities.
- Maintain the ability to detect, respond to, and remediate any incidents effectively.
- Engage securely with cloud services.
TrustedSec has experience in most control frameworks, reviewing an organization’s control structure against these requirements, and assisting in the development of a strategy to mature and become compliant or certified.