JUNE 19, 2017 in ERPScan
Which Initiatives Should be a Part of your Program to be Compliant with GDPR?
The upcoming EU General Data Protection Regulation (GDPR) is considered to be one of the strictest and most far-reaching data protection regulations as any company that handles EU customer or employee data falls under it. With GDPR coming into effect on May 25, 2018, businesses need to start preparing now to ensure the compliance on time.
To gain an insight into how organizations should prepare for the upcoming changes, we reached out cybersecurity thought leaders and asked them which initiatives should be taken to be compliant with GDPR.
As Global Sales Director at Cohesive Networks and Managing Director of Cohesive Networks UK, Chris Purrington is responsible for worldwide sales. With over 20 years in the software industry, Chris has extensive experience in leading ISVs to success in EMEA. Chris lead the sales team for 9+ years at Application Lifecycle Management company Borland where he was UK MD and VP UK, Ireland and Africa.
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.
At the core, the GDPR requires data protection by design. Organisations must design data security into business processes.
Another requirement is “pseudonymization” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the encryption keys, must be kept separately from identifying data.
Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.
Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.
Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.
By: Margaret Valtierra