Cloud

5/24/2018
10:30 AM
Jen Brown
Jen Brown
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Data Protection Officer's Guide to the Post-GDPR Deadline Reality

The EU's General Data Protection Regulation deadline is here -- now what? These four tips can help guide your next steps.

Part 3 of our DPO's Guide to the GDPR Galaxy series.

GDPR doomsday has arrived. While many organizations may be tempted to breathe a sigh of relief, this is not a virtual "pencils down, turn in the test" moment. It's the opposite. The EU's General Data Protection Regulation is still evolving, and your privacy program must be capable of evolving with it. These four tips will ensure that you maintain a steady compliance strategy moving forward.

1. Think GDPR and beyond. Organizations must build a "privacy-by-design" approach and ensure their privacy and security programs encompass more than GDPR. This includes determining how to balance other regulations and standards you may already have in place, such as PCI DSS and HIPAA, with GDPR because this is just the tip of the privacy iceberg. A concern over privacy, much like that of security 15–20 years ago, is now mainstream, and it will only grow in importance.

The mission to do right by your customers continues on as it did before GDPR — and always will. For those organizations that have all their controls in place, it is time to "rinse and repeat."

If you have not completed the requirements required to meet the GDPR law, you should continue to move ahead, without cutting corners to rush the process. Let's be clear: your program will never be in a final stage because you should always be looking for ways to improve and move it to the next level.

2. Know how to respond to DSARs. One unknown for all of us is the volume of data subject access requests (DSARs) that our organizations will be processing. Data subject rights are detailed in GDPR articles 12–23. Under this law, you must provide customers and contacts with an easy way to exercise their rights. Additionally, the law states you must respond to a DSAR within one month. In cases where the request is complex or there are many requests from an individual, you are allowed to request a two-month extension. You must also inform the user that additional time is needed. If the controller (the natural or legal authority that, either alone or jointly, determines the purposes and means of processing personal data) finds the request to be "manifestly unfounded or excessive, in particular because of their repetitive character," it may charge a reasonable fee or refuse to act on the request.

If a controller refuses a request, it must be able to show that the request is indeed manifestly unfounded or excessive, as outlined in GDPR article 12. However, what exactly qualifies as an "unfounded or excessive subject access request" is still unclear under GDPR, and so we will need to wait for guidance by the EU on how to enforce this moving forward. If you serve as your organization's processor and a data subject (that is, a customer of a controller you are working with) contacts you to exercise a right, be sure to direct that person to the controller. Consider creating a DSAR portal where EU customers or individuals are able to request to exercise their data subject rights. Do not forget this includes individuals who receive sales and marketing material as well as employees located in the EU. The portal should be easy to find and navigate.

3. Implement and refine your vendor management program. Another area to consider is your vendor management program. Be sure you are flowing down your GDPR obligations to vendors who handle EU citizen data. You do not want to suffer financial consequences because of a vendor's lack of compliance. It's also a good idea to document your reviews and follow up with vendors who are still in process on their journey to establish consistent lines of communication.

Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it is critical to pinpoint the various partners and vendors that have access to it as well.

4. Maintain an updated data inventory. Last, but certainly not least, it is imperative that your organization updates its data inventory and data flows, and be ready to map new flows as they develop. This means understanding where and how all of your data is being distributed across the organization including, but not limited to, your systems, documents, services, and applications. Continue to ensure that privacy and security are a part of your design process because you can't have true privacy without a strong security foundation. Be sure to keep your employees trained and aware of GDPR and other privacy laws and regulations. Keep your risk management program up to date and perform privacy impact assessments and data protection impact assessments when warranted.

And remember, reach out to your peers, keep up with your own ongoing training, and breathe! The GDPR journey is a winding path, not a dead end, so there's still time to act.

Related Content:

Jen Brown is Sumo Logic's compliance and data protection officer (DPO) and is responsible for leading compliance, risk, and privacy efforts for the company, including GDPR, PCI DSS, ISO 27001, HIPAA, SOC2, and FedRAMP, as well as several other regulations. Prior to Sumo ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.