The Essential GDPR IT Checklist

5 April 2017

3 min read

Prepare your IT for 2018

The Essential GDPR IT Checklist (Desktop)

On 25th May 2018, the EU General Data Protection Regulation (EU GDPR) will replace all other data protection regulations within Europe. With it comes the potential for hefty fines: up to €20million, or 4% of the organisation’s global turnover whichever is higher.1 Netherlands have already implemented GPDR with the Breach Notification Law which came into force on 1 January 2016. 2

The GDPR does two things. It protects the data rights of EU citizens, and it protects their privacy i.e. their personal data. Anyone who does business within the single market will have to comply with it. That includes non-EU businesses who deal with EU customers.

The latter is clearly within the remit of IT. But there are substantial overlaps. Robust, multi-layered endpoint security, in the name of protecting data, operating at network, device and user level, does much to protect the associated rights. Detect and respond should be favoured over protect and defend. And the endpoints are the starting point: both device and user.

For example: the right to be forgotten mandates organisations to erase all of an EU citizen’s data, including all copies, should they request it. This requires a comprehensive data map covering what data is stored, where, and who has access. The same could be said for cyber security.

With that in mind, here are the 10 essential actions you need to take before the May 2018 deadline.

Stage One: Audit your Situation

The first stage is to assess your situation. By getting a realistic view of your current status, you’ll know how much you need to change in order to comply

  1. Audit your data

    Make sure you know where all your data lives, who has access and on what devices

  2. Audit your service partners

    Make sure every service partner – cloud storage, SaaS etc. – that has access to your data is also compliant with GDPR, or under an officially sanctioned data jurisdiction

  3. Audit all authorised and unauthorised devices with access to personal data

    Make sure you know every single device that has access to personal data – officially sanctioned or not

Stage Two: Access Control

The second stage is controlling access to company data, to keep track of who has access, and to prevent a single breach granting access to everything.

  1. Ensure administrative privilege control

    Make sure administrative actions can only be taken by a select few, to minimise the risk of others gaining control of the network.

  2. Ensure tiered access to personal data

    Control access to data on a need to know basis. This should be based on the user, device and the network the request is coming from.

  3. Ensure remote access and erasure rights for company data

    Make sure you can retrieve and erase data from all devices with access to personal data, especially in instances of loss or theft.

Invest in new, more secure devices, if necessary

The final stage is to implement robust security to detect and respond to breaches. Prevention is ideal, but unrealistic.

  1. Implement a regular scan and security software update policy

    Traditional network defences – antivirus, antimalware and firewall – may not be foolproof but they’re still important. Regular updates are essential

  2. Ensure tiered access to personal data

    Control access to data on a need to know basis. This should be based on the user, device and the network the request is coming from.

  3. Implement real-time detect and response software

    Secure your endpoints with practical real-time breach responses e.g. quarantining or terminating processes and devices. Include a Security Information and Event Management (SIEM) tool

  4. Conduct employee training in cyber security

    58% of cyber threats come from insider negligence or malice. Run active training to prevent basic mistakes like opening unknown attachments

Aside from building security, these actions help to achieve compliance with the following key provisions of the GDPR

  • Report data breaches within 72 hours; and prove due diligence in preventing them
  • The right to be forgotten: erase all of an EU citizen’s personal data upon their request
  • Data portability: provide all personal data of an EU citizen in a format accessible to them
  • International transfers: ensure data is only transferred to other GDPR compliant organisations, or those within jurisdictions deemed ‘adequate’

Discover how to secure and protect your business here.

http://www.eugdpr.org/the-regulation.html
http://www.nortonrosefulbright.com/knowledge/publications/129254/dutch-data-breach-notification

Print