Data Protection Officer's Guide To The GDPR Galaxy

Has the impending GDPR deadline got you freaking out? These five tips might help you calm down, at least a little.

Many people are finding themselves faced with the need to familiarise themselves with a topic that pertains to everyone, data protection and privacy, even though most have not specialised in it.

In April 2016, the General Data Protection Regulation (GDPR) was passed into law in the European Union. The goal of the law is to give individuals control over their own data. While GDPR became law in 2016, it won't become enforceable until May 25, 2018. In this post, we'll explore the universe of GDPR and provide some resources to help you prepare.

So, why is everyone freaking out over this law, particularly if a company is not in the EU? GDPR is composed of 99 articles and 173 recitals that are used to help interpret the law, that's a lot of elements!

What's scarier is the sanctions for noncompliance can be a fine up to €20 million (approximately $24.6 million) or up to 4% of the annual worldwide turnover  (net sales generated by a business) of the preceding financial year, whichever is greater.

The "whichever is greater" is where most gasp a little. GDPR affects any business that operates in the EU and foreign companies that process the data of EU citizens. In our global economy, this is virtually every business. Furthermore, business must flow these requirements down to all their vendors.

The prospect of digging into this does seem daunting. So, where to start? First of all, breathe. While this is a large undertaking, there are many resources available.

1. Consider a training course. There are several avenues for training, and more become available each week. I'm lucky enough that my senior management team saw the importance of investing in sending someone to training so that our organisation was educated, and we would be able to work with our customers to meet their GDPR compliance needs as well as our own.

I went to London and took the DPO Ready Track offered by the International Association of Privacy Professionals (IAPP). This was a four-day training and consisted of the Certified Information Privacy Professional/Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) courses.

IAPP also offers these trainings online in a self-paced course. If you have the budget, I would highly recommend this option. There are consulting firms, training companies, and privacy vendors that also offer GDPR training.

If you don't have the budget to attend a course, consider webinars. If you are able to attend an in-person course like those mentioned above, you may consider augmenting that with webinars as well. TrustArc, OneTrust, and Nymity have a comprehensive series of webinars that are available on their websites. The nice thing about webinars — in addition to being free — is that you can watch them from anywhere, at any time, as long as you have an Internet connection.

2. There are a few books that have been written on GDPR, but... Personally, the handful of books I have read on the topic reminded me of the early PCI DSS books that were not much more helpful than reading the standard itself.

Most books are out of date before they even hit the virtual book shelves. I've found online articles, following the news feed from IAPP, and the guidance from the Article 29 Working Party advisory board and the Information Commissioner's Office (ICO) out of the UK to be more helpful.

3. There are many other online resources and tools that are very helpful. If you are unsure if you need a data protection officer, there are flow charts online to help you step through the requirements to determine if you need to appoint or hire a resource. Also available with a quick online search are checklists and templates. Nymity has a very nice GDPR Compliance Toolkit available for download.

Augmenting your knowledge with tools to assist in executing on some of the more daunting tasks for GDPR is a great way to help your organization meet the requirements.

If you don't have processes and tools in place to address tasks such as process mapping performing privacy impact assessments (PIAs) and data protection impact assessments (DPIAs), vendor tools may be a solution.

4. If you're not an attorney, identify your limits in terms of knowledge and ability. I have a very strong information security and compliance background and, before my training for GDPR, some privacy training; however, I'm not an attorney and have not gone to law school. I'm well aware of the boundaries of my knowledge and do not hesitate to work with our senior management to engage our outside counsel when necessary.

For example, one instance where we deferred to our attorneys is when we had to write a data processing addendum (DPA), which is a formal legal contract required under GDPR that outlines the roles and responsibilities of data controllers and processors.

5. Last but not least, reach out to your peers. Many of us are working through the onslaught of requests for information on how our companies will meet the requirements of GDPR as well as reaching out to all our vendors to ask the dreaded question, "What are you doing to meet the requirements of GDPR?" Seek support from peers to discuss your questions, worries, confusion, and frustration.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

Dark Reading

You Might Also Read: 

Ensure Your Cloud Storage Is Compliant With GDPR:

The GDPR Deadline Is Near & Business Is Not Ready:

« Self-driving Uber Vehicle Strikes & Kills
The Symphonic Enterprise »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

GuardRails

GuardRails

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

ShorePoint

ShorePoint

ShorePoint is an elite cybersecurity firm dedicated to improving the cyber resilience of Federal agencies and their missions.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

ExtraHop

ExtraHop

ExtraHop's dynamic cyber defense platform uses cloud-scale AI to help enterprises detect and respond to advanced threats - before they compromise your business.

Gotham Security

Gotham Security

Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

Digital Technologies Group (DTG)

Digital Technologies Group (DTG)

DTG are a digital transformation company helping process organisations embrace smarter manufacturing through the adoption of industry 4.0 technologies and solutions.