Cloud

5/24/2018
10:30 AM
Jen Brown
Jen Brown
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Data Protection Officer's Guide to the Post-GDPR Deadline Reality

The EU's General Data Protection Regulation deadline is here -- now what? These four tips can help guide your next steps.

Part 3 of our DPO's Guide to the GDPR Galaxy series.

GDPR doomsday has arrived. While many organizations may be tempted to breathe a sigh of relief, this is not a virtual "pencils down, turn in the test" moment. It's the opposite. The EU's General Data Protection Regulation is still evolving, and your privacy program must be capable of evolving with it. These four tips will ensure that you maintain a steady compliance strategy moving forward.

1. Think GDPR and beyond. Organizations must build a "privacy-by-design" approach and ensure their privacy and security programs encompass more than GDPR. This includes determining how to balance other regulations and standards you may already have in place, such as PCI DSS and HIPAA, with GDPR because this is just the tip of the privacy iceberg. A concern over privacy, much like that of security 15–20 years ago, is now mainstream, and it will only grow in importance.

The mission to do right by your customers continues on as it did before GDPR — and always will. For those organizations that have all their controls in place, it is time to "rinse and repeat."

If you have not completed the requirements required to meet the GDPR law, you should continue to move ahead, without cutting corners to rush the process. Let's be clear: your program will never be in a final stage because you should always be looking for ways to improve and move it to the next level.

2. Know how to respond to DSARs. One unknown for all of us is the volume of data subject access requests (DSARs) that our organizations will be processing. Data subject rights are detailed in GDPR articles 12–23. Under this law, you must provide customers and contacts with an easy way to exercise their rights. Additionally, the law states you must respond to a DSAR within one month. In cases where the request is complex or there are many requests from an individual, you are allowed to request a two-month extension. You must also inform the user that additional time is needed. If the controller (the natural or legal authority that, either alone or jointly, determines the purposes and means of processing personal data) finds the request to be "manifestly unfounded or excessive, in particular because of their repetitive character," it may charge a reasonable fee or refuse to act on the request.

If a controller refuses a request, it must be able to show that the request is indeed manifestly unfounded or excessive, as outlined in GDPR article 12. However, what exactly qualifies as an "unfounded or excessive subject access request" is still unclear under GDPR, and so we will need to wait for guidance by the EU on how to enforce this moving forward. If you serve as your organization's processor and a data subject (that is, a customer of a controller you are working with) contacts you to exercise a right, be sure to direct that person to the controller. Consider creating a DSAR portal where EU customers or individuals are able to request to exercise their data subject rights. Do not forget this includes individuals who receive sales and marketing material as well as employees located in the EU. The portal should be easy to find and navigate.

3. Implement and refine your vendor management program. Another area to consider is your vendor management program. Be sure you are flowing down your GDPR obligations to vendors who handle EU citizen data. You do not want to suffer financial consequences because of a vendor's lack of compliance. It's also a good idea to document your reviews and follow up with vendors who are still in process on their journey to establish consistent lines of communication.

Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it is critical to pinpoint the various partners and vendors that have access to it as well.

4. Maintain an updated data inventory. Last, but certainly not least, it is imperative that your organization updates its data inventory and data flows, and be ready to map new flows as they develop. This means understanding where and how all of your data is being distributed across the organization including, but not limited to, your systems, documents, services, and applications. Continue to ensure that privacy and security are a part of your design process because you can't have true privacy without a strong security foundation. Be sure to keep your employees trained and aware of GDPR and other privacy laws and regulations. Keep your risk management program up to date and perform privacy impact assessments and data protection impact assessments when warranted.

And remember, reach out to your peers, keep up with your own ongoing training, and breathe! The GDPR journey is a winding path, not a dead end, so there's still time to act.

Related Content:

Jen Brown is Sumo Logic's compliance and data protection officer (DPO) and is responsible for leading compliance, risk, and privacy efforts for the company, including GDPR, PCI DSS, ISO 27001, HIPAA, SOC2, and FedRAMP, as well as several other regulations. Prior to Sumo ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
The Data Security Landscape Is Shifting: Is Your Company Prepared?
Francis Dinha, CEO & Co-Founder of OpenVPN,  8/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.