One of the most recent and wide-ranging laws impacting the security profession globally is the European Union’s General Data Protection Regulation, or GDPR. As of May 25, 2018, the GDPR is a legal and enforceable act of the European Union.
In this post, we will detail the key findings as a security professional how to work to satisfy the requirements of GDPR.
General Data Protection RegulationGDPR
| Chapter 1 | – | 1 2 3 4 |
| Chapter 2 | – | 5 6 7 8 9 10 11 |
| Chapter 3 | – | 12 13 14 15 16 17 18 19 20 21 22 23 |
| Chapter 4 | – | 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
| Chapter 5 | – | 44 45 46 47 48 49 50 |
| Chapter 6 | – | 51 52 53 54 55 56 57 58 59 |
| Chapter 7 | – | 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
| Chapter 8 | – | 77 78 79 80 81 82 83 84 |
| Chapter 9 | – | 85 86 87 88 89 90 91 |
| Chapter 10 | – | 92 93 |
| Chapter 11 | – | 94 95 96 97 98 99 |
First two things not included in GDPR:
- GDPR Does not include privacy or personally identifiable data
- GDPR is an extraterritorial regulation. Any organization which coleects / stores / processes / tramsits / changes personal data of EU citizens, have to follow the requirements of GDPR, even it is not based in EU.
(ISC)2 developed a framework for success:
Phase 1: Develop
- Identify senior stakeholders and engage each business unit affected.
- Allocate adequate resources to support implementation.
- Inventory and analyze the personal data held across the organization. Verify procedures to ensure they cover all rights EU individuals have under GDPR.
- Review how consent is sought, obtained and recorded to determine if changes are needed.
- Designate a data protection officer (DPO) when processing involves specific data categories, personal data processing is large scale, and if processing these special types of personal data is core to your business.
Phase 2: Implement
- Identify gaps and developjroject plan to meet the data protection requirements set forth by GDPR. Two areas identified as particularly adding to the heavy workload are data protection impact assessments (DPIA) and subject access requests (SAR). Companies need to scope out how they plan to do these, and they too are subject to a risk assessment/maturity roadmap process.
- Refine the solutions necessary for improving data protection and ensuring adherence to requirements and regulations.
- Implement procedures to detect, report and investigate personal data breaches.
- Test, deploy, and OA all controls and solutions developed to achieve compliance.
- Develop an internal GDPR audit plan.
- Operationalize the efforts of monitoring all data protection controls created.
Phase 3: Improve
- Move into a state of continuous improvement.
- Put GDPR efforts into maintenance/review/update mode.
- Enhance controls and customer service to remain GDPR-compliant and build trust and vkle with customers.
1. Setting the GDPR Strategy
Phase 1: Develop
- Identify senior stakeholders and engage each business unit affected.
- Allocate adequate resources to support implementation.
Objectives:
- Become familiar with sepcific articles
- Identify articles that apply to your company
- Identify stakeholders who will make decisions