Data Protection Officer's Guide To The GDPR Galaxy

Has the impending GDPR deadline got you freaking out? These five tips might help you calm down, at least a little.

Many people are finding themselves faced with the need to familiarise themselves with a topic that pertains to everyone, data protection and privacy, even though most have not specialised in it.

In April 2016, the General Data Protection Regulation (GDPR) was passed into law in the European Union. The goal of the law is to give individuals control over their own data. While GDPR became law in 2016, it won't become enforceable until May 25, 2018. In this post, we'll explore the universe of GDPR and provide some resources to help you prepare.

So, why is everyone freaking out over this law, particularly if a company is not in the EU? GDPR is composed of 99 articles and 173 recitals that are used to help interpret the law, that's a lot of elements!

What's scarier is the sanctions for noncompliance can be a fine up to €20 million (approximately $24.6 million) or up to 4% of the annual worldwide turnover  (net sales generated by a business) of the preceding financial year, whichever is greater.

The "whichever is greater" is where most gasp a little. GDPR affects any business that operates in the EU and foreign companies that process the data of EU citizens. In our global economy, this is virtually every business. Furthermore, business must flow these requirements down to all their vendors.

The prospect of digging into this does seem daunting. So, where to start? First of all, breathe. While this is a large undertaking, there are many resources available.

1. Consider a training course. There are several avenues for training, and more become available each week. I'm lucky enough that my senior management team saw the importance of investing in sending someone to training so that our organisation was educated, and we would be able to work with our customers to meet their GDPR compliance needs as well as our own.

I went to London and took the DPO Ready Track offered by the International Association of Privacy Professionals (IAPP). This was a four-day training and consisted of the Certified Information Privacy Professional/Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) courses.

IAPP also offers these trainings online in a self-paced course. If you have the budget, I would highly recommend this option. There are consulting firms, training companies, and privacy vendors that also offer GDPR training.

If you don't have the budget to attend a course, consider webinars. If you are able to attend an in-person course like those mentioned above, you may consider augmenting that with webinars as well. TrustArc, OneTrust, and Nymity have a comprehensive series of webinars that are available on their websites. The nice thing about webinars — in addition to being free — is that you can watch them from anywhere, at any time, as long as you have an Internet connection.

2. There are a few books that have been written on GDPR, but... Personally, the handful of books I have read on the topic reminded me of the early PCI DSS books that were not much more helpful than reading the standard itself.

Most books are out of date before they even hit the virtual book shelves. I've found online articles, following the news feed from IAPP, and the guidance from the Article 29 Working Party advisory board and the Information Commissioner's Office (ICO) out of the UK to be more helpful.

3. There are many other online resources and tools that are very helpful. If you are unsure if you need a data protection officer, there are flow charts online to help you step through the requirements to determine if you need to appoint or hire a resource. Also available with a quick online search are checklists and templates. Nymity has a very nice GDPR Compliance Toolkit available for download.

Augmenting your knowledge with tools to assist in executing on some of the more daunting tasks for GDPR is a great way to help your organization meet the requirements.

If you don't have processes and tools in place to address tasks such as process mapping performing privacy impact assessments (PIAs) and data protection impact assessments (DPIAs), vendor tools may be a solution.

4. If you're not an attorney, identify your limits in terms of knowledge and ability. I have a very strong information security and compliance background and, before my training for GDPR, some privacy training; however, I'm not an attorney and have not gone to law school. I'm well aware of the boundaries of my knowledge and do not hesitate to work with our senior management to engage our outside counsel when necessary.

For example, one instance where we deferred to our attorneys is when we had to write a data processing addendum (DPA), which is a formal legal contract required under GDPR that outlines the roles and responsibilities of data controllers and processors.

5. Last but not least, reach out to your peers. Many of us are working through the onslaught of requests for information on how our companies will meet the requirements of GDPR as well as reaching out to all our vendors to ask the dreaded question, "What are you doing to meet the requirements of GDPR?" Seek support from peers to discuss your questions, worries, confusion, and frustration.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Dark Reading

You Might Also Read: 

Ensure Your Cloud Storage Is Compliant With GDPR:

The GDPR Deadline Is Near & Business Is Not Ready:

« Self-driving Uber Vehicle Strikes & Kills
The Symphonic Enterprise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BAE Systems

BAE Systems

BAE Systems are a leading supplier of cyber, intelligence, and security capabilities to government agencies, and a growing supplier of cyber and network security capabilities to commercial customers.

Vertical Structure

Vertical Structure

Vertical Structure services include Security & Penetration Testing, Information Assurance, Bespoke Training Programs and Secure Hosting.

PCI Tutor

PCI Tutor

PCI Tutor delivers cost effective e-learning courses for people needing to understand the PCI Data Security Standard.

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

Beazley

Beazley

Beazley are a specialist insurer with three decades of experience in providing clients with the highest standards of underwriting and claims service worldwide.

Krypsis

Krypsis

Krypsys is an information security company with a focus on helping you defend your information and data against emerging security threats.

Cyber Ninjas

Cyber Ninjas

Cyber Ninjas specializes in all areas of application security ranging from your traditional web application to mobile or thick client applications.

Riskcop Advisory

Riskcop Advisory

Riskcop Advisory LLC is a trusted name in the industry that is famous for offering top-quality cyber security solutions for small business at an affordable price.