Cloud

5/24/2018
10:30 AM
Jen Brown
Jen Brown
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

A Data Protection Officer's Guide to the Post-GDPR Deadline Reality

The EU's General Data Protection Regulation deadline is here -- now what? These four tips can help guide your next steps.

Part 3 of our DPO's Guide to the GDPR Galaxy series.

GDPR doomsday has arrived. While many organizations may be tempted to breathe a sigh of relief, this is not a virtual "pencils down, turn in the test" moment. It's the opposite. The EU's General Data Protection Regulation is still evolving, and your privacy program must be capable of evolving with it. These four tips will ensure that you maintain a steady compliance strategy moving forward.

1. Think GDPR and beyond. Organizations must build a "privacy-by-design" approach and ensure their privacy and security programs encompass more than GDPR. This includes determining how to balance other regulations and standards you may already have in place, such as PCI DSS and HIPAA, with GDPR because this is just the tip of the privacy iceberg. A concern over privacy, much like that of security 15–20 years ago, is now mainstream, and it will only grow in importance.

The mission to do right by your customers continues on as it did before GDPR — and always will. For those organizations that have all their controls in place, it is time to "rinse and repeat."

If you have not completed the requirements required to meet the GDPR law, you should continue to move ahead, without cutting corners to rush the process. Let's be clear: your program will never be in a final stage because you should always be looking for ways to improve and move it to the next level.

2. Know how to respond to DSARs. One unknown for all of us is the volume of data subject access requests (DSARs) that our organizations will be processing. Data subject rights are detailed in GDPR articles 12–23. Under this law, you must provide customers and contacts with an easy way to exercise their rights. Additionally, the law states you must respond to a DSAR within one month. In cases where the request is complex or there are many requests from an individual, you are allowed to request a two-month extension. You must also inform the user that additional time is needed. If the controller (the natural or legal authority that, either alone or jointly, determines the purposes and means of processing personal data) finds the request to be "manifestly unfounded or excessive, in particular because of their repetitive character," it may charge a reasonable fee or refuse to act on the request.

If a controller refuses a request, it must be able to show that the request is indeed manifestly unfounded or excessive, as outlined in GDPR article 12. However, what exactly qualifies as an "unfounded or excessive subject access request" is still unclear under GDPR, and so we will need to wait for guidance by the EU on how to enforce this moving forward. If you serve as your organization's processor and a data subject (that is, a customer of a controller you are working with) contacts you to exercise a right, be sure to direct that person to the controller. Consider creating a DSAR portal where EU customers or individuals are able to request to exercise their data subject rights. Do not forget this includes individuals who receive sales and marketing material as well as employees located in the EU. The portal should be easy to find and navigate.

3. Implement and refine your vendor management program. Another area to consider is your vendor management program. Be sure you are flowing down your GDPR obligations to vendors who handle EU citizen data. You do not want to suffer financial consequences because of a vendor's lack of compliance. It's also a good idea to document your reviews and follow up with vendors who are still in process on their journey to establish consistent lines of communication.

Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it is critical to pinpoint the various partners and vendors that have access to it as well.

4. Maintain an updated data inventory. Last, but certainly not least, it is imperative that your organization updates its data inventory and data flows, and be ready to map new flows as they develop. This means understanding where and how all of your data is being distributed across the organization including, but not limited to, your systems, documents, services, and applications. Continue to ensure that privacy and security are a part of your design process because you can't have true privacy without a strong security foundation. Be sure to keep your employees trained and aware of GDPR and other privacy laws and regulations. Keep your risk management program up to date and perform privacy impact assessments and data protection impact assessments when warranted.

And remember, reach out to your peers, keep up with your own ongoing training, and breathe! The GDPR journey is a winding path, not a dead end, so there's still time to act.

Related Content:

Jen Brown is Sumo Logic's compliance and data protection officer (DPO) and is responsible for leading compliance, risk, and privacy efforts for the company, including GDPR, PCI DSS, ISO 27001, HIPAA, SOC2, and FedRAMP, as well as several other regulations. Prior to Sumo ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
Election Websites, Backend Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8405
PUBLISHED: 2018-08-15
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, ...
CVE-2018-8406
PUBLISHED: 2018-08-15
An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory, aka "DirectX Graphics Kernel Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique...
CVE-2018-8412
PUBLISHED: 2018-08-15
An elevation of privilege vulnerability exists when the Microsoft AutoUpdate (MAU) application for Mac improperly validates updates before executing them, aka "Microsoft (MAU) Office Elevation of Privilege Vulnerability." This affects Microsoft Office.
CVE-2018-8414
PUBLISHED: 2018-08-15
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.
CVE-2018-8398
PUBLISHED: 2018-08-15
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, W...