Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/24/2018
10:30 AM
Jen Brown
Jen Brown
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Data Protection Officer's Guide to the Post-GDPR Deadline Reality

The EU's General Data Protection Regulation deadline is here -- now what? These four tips can help guide your next steps.

Part 3 of our DPO's Guide to the GDPR Galaxy series.

GDPR doomsday has arrived. While many organizations may be tempted to breathe a sigh of relief, this is not a virtual "pencils down, turn in the test" moment. It's the opposite. The EU's General Data Protection Regulation is still evolving, and your privacy program must be capable of evolving with it. These four tips will ensure that you maintain a steady compliance strategy moving forward.

1. Think GDPR and beyond. Organizations must build a "privacy-by-design" approach and ensure their privacy and security programs encompass more than GDPR. This includes determining how to balance other regulations and standards you may already have in place, such as PCI DSS and HIPAA, with GDPR because this is just the tip of the privacy iceberg. A concern over privacy, much like that of security 15–20 years ago, is now mainstream, and it will only grow in importance.

The mission to do right by your customers continues on as it did before GDPR — and always will. For those organizations that have all their controls in place, it is time to "rinse and repeat."

If you have not completed the requirements required to meet the GDPR law, you should continue to move ahead, without cutting corners to rush the process. Let's be clear: your program will never be in a final stage because you should always be looking for ways to improve and move it to the next level.

2. Know how to respond to DSARs. One unknown for all of us is the volume of data subject access requests (DSARs) that our organizations will be processing. Data subject rights are detailed in GDPR articles 12–23. Under this law, you must provide customers and contacts with an easy way to exercise their rights. Additionally, the law states you must respond to a DSAR within one month. In cases where the request is complex or there are many requests from an individual, you are allowed to request a two-month extension. You must also inform the user that additional time is needed. If the controller (the natural or legal authority that, either alone or jointly, determines the purposes and means of processing personal data) finds the request to be "manifestly unfounded or excessive, in particular because of their repetitive character," it may charge a reasonable fee or refuse to act on the request.

If a controller refuses a request, it must be able to show that the request is indeed manifestly unfounded or excessive, as outlined in GDPR article 12. However, what exactly qualifies as an "unfounded or excessive subject access request" is still unclear under GDPR, and so we will need to wait for guidance by the EU on how to enforce this moving forward. If you serve as your organization's processor and a data subject (that is, a customer of a controller you are working with) contacts you to exercise a right, be sure to direct that person to the controller. Consider creating a DSAR portal where EU customers or individuals are able to request to exercise their data subject rights. Do not forget this includes individuals who receive sales and marketing material as well as employees located in the EU. The portal should be easy to find and navigate.

3. Implement and refine your vendor management program. Another area to consider is your vendor management program. Be sure you are flowing down your GDPR obligations to vendors who handle EU citizen data. You do not want to suffer financial consequences because of a vendor's lack of compliance. It's also a good idea to document your reviews and follow up with vendors who are still in process on their journey to establish consistent lines of communication.

Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it is critical to pinpoint the various partners and vendors that have access to it as well.

4. Maintain an updated data inventory. Last, but certainly not least, it is imperative that your organization updates its data inventory and data flows, and be ready to map new flows as they develop. This means understanding where and how all of your data is being distributed across the organization including, but not limited to, your systems, documents, services, and applications. Continue to ensure that privacy and security are a part of your design process because you can't have true privacy without a strong security foundation. Be sure to keep your employees trained and aware of GDPR and other privacy laws and regulations. Keep your risk management program up to date and perform privacy impact assessments and data protection impact assessments when warranted.

And remember, reach out to your peers, keep up with your own ongoing training, and breathe! The GDPR journey is a winding path, not a dead end, so there's still time to act.

Related Content:

Jen Brown is Sumo Logic's compliance and data protection officer (DPO) and is responsible for leading compliance, risk, and privacy efforts for the company, including GDPR, PCI DSS, ISO 27001, HIPAA, SOC2, and FedRAMP, as well as several other regulations. Prior to Sumo ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...
CVE-2020-3137
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...